Intelligence
criticalVulnerabilityActive

Langflow Unauthenticated File Upload – Disk Exhaustion and Path Disclosure

The `/api/v1/upload/{flow_id}` endpoint in Langflow lacks authentication and input validation, allowing unauthenticated attackers to exhaust server disk space and extract absolute file paths for further reconnaissance.

S
Sebastion

CVE References

CVE-2026-55450

Affected

Langflow (up to commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe)

Vulnerability Description

The /api/v1/upload/{flow_id} endpoint implements an unauthenticated POST handler for arbitrary file uploads. The vulnerability stems from two distinct flaws: (1) missing authentication checks – the route accepts requests without credential validation, and (2) absent authorization logic – there is no verification that the requesting user owns or has permission to upload to a given flow_id. The endpoint directly passes the UUID parameter to the save_uploaded_file() function without sanitization. This is classified as an Authentication Bypass + Unrestricted File Upload vulnerability (CWE-434, CWE-306). The impact is two-fold: attackers can perform disk space exhaustion (DoS) by uploading large or numerous files, and the response leaks the absolute file path of uploaded content, enabling information disclosure that aids in chaining to local file inclusion or path traversal attacks.

PoC Significance

The provided PoC demonstrates that any network-accessible instance is exploitable with minimal effort—only a valid UUID string and network access are required. The curl example proves that arbitrary UUIDs are accepted, suggesting no validation of flow_id ownership. The response payload containing absolute paths (e.g., /Users/ori/Library/Caches/langflow/...) confirms information leakage. This PoC is highly reliable and requires no authentication tokens, session cookies, or prior knowledge of valid flow IDs. The vulnerability is trivial to exploit at scale; an attacker can rapidly fill disk with a loop of large file uploads, causing service degradation or complete unavailability.

Detection Guidance

Log Indicators:

  • HTTP POST requests to /api/v1/upload/* endpoints from unauthenticated sessions (no Authorization header or invalid/missing tokens).
  • Multiple rapid upload requests from the same source IP within short time windows.
  • Error logs indicating disk space warnings or "no space left on device" errors correlating with upload activity.
  • Filesystem audit logs showing files written to the langflow cache directory by unauthorized processes.

YARA/Signature Rules:

  • Alert on HTTP POST patterns matching /api/v1/upload/[0-9a-f\-]{36} (UUID regex) without prior authentication event.
  • Monitor for Content-Length headers >100MB on upload requests (anomalously large payloads).
  • Network IDS rule: flag repeated POST requests to the upload endpoint from single source IP at >10 requests/minute.

Mitigation Steps

Immediate Actions:

  1. Disable the endpoint until patched by setting route handler to return HTTP 403 Forbidden or removing the route entirely.
  2. Implement authentication on the /api/v1/upload/{flow_id} endpoint—require valid JWT, API key, or session token.
  3. Add authorization checks—verify that the requesting user has ownership or explicit permission for the target flow_id before accepting uploads.
  4. Implement file upload limits:
    • Set maximum file size per upload (e.g., 50MB).
    • Set maximum total upload quota per user/flow (e.g., 1GB per flow).
    • Enforce rate limiting (e.g., 5 uploads per minute per IP).
  5. Sanitize response output—return only the filename or relative path, never absolute paths.
  6. Update to patched version when available from the Langflow project.

Configuration Hardening:

  • Configure filesystem quotas on the directory where uploads are stored to prevent full-disk DoS.
  • Enable audit logging on the upload cache directory.
  • Run Langflow with minimal filesystem permissions (non-root user).

Risk Assessment

Likelihood of Exploitation: Very High. The vulnerability requires zero authentication and is trivial to exploit; any actor with network access can trigger it. Public disclosure via GitHub advisories and CVE assignment increases exposure. Langflow is deployed in production by AI/ML teams; attackers can identify instances via network scanning or Shodan queries.

Threat Actor Interest: High. DoS and information disclosure are foundational techniques in reconnaissance campaigns. Threat actors targeting ML pipelines, data exfiltration, or service disruption will prioritize this. Ransomware operators may use disk exhaustion to disrupt backups or force recovery payments. The path disclosure aids in chaining to local file inclusion or SSRF attacks.

Exploitation in the Wild: Expect rapid exploitation once PoC becomes widely known. The low barrier to entry makes this attractive for automated scanners and script kiddies. Organizations running outdated Langflow versions are at immediate risk.

Sources

pocauthentication-bypassfile-uploaddenial-of-serviceinformation-disclosurepath-traversal-vectorlangflowapi-security
Back to intelligence