CVE-2026-6596
published 2026-04-20CVE-2026-6596: A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file…
PriorityP351high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EPSS
0.28%
20.1th percentile
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | — | — |
| langflow-ai | langflow | — | — |
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API
ghsa·2026-04-20
CVE-2026-6596 [MEDIUM] CWE-284 Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
GHSA
GHSA-vvfc-fp59-m92g: A security flaw has been discovered in langflow-ai langflow up to 1
ghsa_unreviewed·2026-04-20
CVE-2026-6596 [MEDIUM] CWE-284 GHSA-vvfc-fp59-m92g: A security flaw has been discovered in langflow-ai langflow up to 1
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB
langflow-ai langflow up to 1.1.0 API Endpoint endpoints.py create_upload_file unrestricted upload
vuldb·2026-04-19
CVE-2026-6596 [CRITICAL] langflow-ai langflow up to 1.1.0 API Endpoint endpoints.py create_upload_file unrestricted upload
A vulnerability described as critical has been identified in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload.
This vulnerability is known as CVE-2026-6596. It is possible to launch the attack remotely. Furthermore, an exploit is available.
The vendor was contacted early about this disclosure but did not respond in any way.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published