CVE-2026-48520
published 2026-06-23CVE-2026-48520: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains…
PriorityP433medium6.1CVSS 3.1
AVNACHPRNUIRSCCHINAN
EPSS
0.25%
16.1th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if supported by the local configuration This vulnerability is fixed in 1.10.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | < 1.10.0 | 1.10.0 |
| langflow | langflow | < 1.10.0 | 1.10.0 |
| langflow | langflow | >= 0 < 1.10.0 | 1.10.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
langflow-ai langflow up to 1.9.x file inclusion (GHSA-rcjh-r59h-gq37)
vuldb·2026-06-23·CVSS 6.1
CVE-2026-48520 [MEDIUM] langflow-ai langflow up to 1.9.x file inclusion (GHSA-rcjh-r59h-gq37)
A vulnerability classified as problematic has been found in langflow-ai langflow up to 1.9.x. This vulnerability affects unknown code. This manipulation causes file inclusion.
This vulnerability is tracked as CVE-2026-48520. The attack is possible to be carried out remotely. No exploit exists.
It is recommended to upgrade the affected component.
GHSA
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
ghsa·2026-06-16
CVE-2026-48520 [MEDIUM] CWE-73 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
### Summary
The "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used.
By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM.
The files path can be any path supported by the storage - it can be either a local file or *S3 path* if supported by the local configuration
### Details
Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link.
Specifically, it enables the route `/api/v1/build_public_tmp` to execute any public flow, given a public flo
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published