The Hacker News ·EN News source
Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
CVE Tools coverage
Security researchers report that an unpatched vulnerability in Langflow, an open-source low-code AI application platform, is being exploited in the wild. CVE-2026-5027 (CVSS 8.8) is a path traversal issue that can allow arbitrary file writes via the POST /api/v2/files endpoint, and unauthenticated access can be sufficient to reach the vulnerable code path before exploitation. This matters because it enables remote compromise without valid credentials, adding to a series of active Langflow attacks this year tied to CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291.