CVE-2026-55446
published 2026-06-23CVE-2026-55446: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.32%
23.8th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. This vulnerability is fixed in 1.0.19.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | < 1.0.19 | 1.0.19 |
| langflow | langflow | < 1.0.19 | 1.0.19 |
| langflow | langflow | >= 0 < 1.0.19 | 1.0.19 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
langflow-ai langflow up to 1.0.18 /api/v1/files/upload resource consumption (GHSA-qwqc-p3q8-wcg9)
vuldb·2026-06-24·CVSS 7.5
CVE-2026-55446 [HIGH] langflow-ai langflow up to 1.0.18 /api/v1/files/upload resource consumption (GHSA-qwqc-p3q8-wcg9)
A vulnerability categorized as problematic has been discovered in langflow-ai langflow up to 1.0.18. The impacted element is an unknown function of the file /api/v1/files/upload. Such manipulation leads to resource consumption.
This vulnerability is traded as CVE-2026-55446. The attack may be launched remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
Langflow: Unauthenticated DoS through multipart form boundary file upload
ghsa·2026-06-19
CVE-2026-55446 [HIGH] CWE-400 Langflow: Unauthenticated DoS through multipart form boundary file upload
Langflow: Unauthenticated DoS through multipart form boundary file upload
### Summary
An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time.
### Details
https://github.com/langflow-ai/langflow/blob/v1.0.18/src/backend/base/langflow/api/v1/files.py#L40
The file upload function will try to process the multipart form data even if it is malformed and contains a payload such as an extremely large amount of hyphens after the boundary. It also does not do the authentication check before trying to process this data so an unauthenticated attacker can perform this as well as authenticated users.
Additionally, an attacker doesn't
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published