A high-severity vulnerability, tracked as CVE-2026-5027, has been identified in the low-code AI development platform Langflow, which has a CVSS score of 8.8. The flaw is a path traversal issue that allows attackers to write files to arbitrary locations on the system without authentication due to the improper sanitation of the 'filename' parameter in API requests.
Once exploited, unauthorized users can execute arbitrary code, posing significant risks to approximately 7,000 Langflow instances accessible from the internet, especially in North America. The vulnerability was publicly disclosed on March 27 and has already seen active exploitation attempts, illustrating a concerning trend of attacks on tooling for AI application development.