Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-42048

Langflow Knowledge Bases API is Vulnerable to Path Traversal
Back to all
CVE

CVE-2026-42048

Langflow Knowledge Bases API is Vulnerable to Path Traversal

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption.

Details

The vulnerability exists in the deleteknowledgebases_bulk function within src/backend/base/langflow/api/v1/knowledge_bases.py

This function constructs file paths directly from the user-supplied kb_names parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., resolvekb_path()), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to shutil.rmtree() without validating if the resulting path resolves outside the intended user directory.

PoC (Proof of Concept)

For the Bulk Delete endpoint, an authenticated attacker can supply a traversal sequence in the kb_names parameter:

../victimuser/kbname

Because the path is passed directly to shutil.rmtree() without containment checks, this payload deletes directories outside the intended scope.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:

  • Cross-user data compromise: Deletion of directories within another tenant's knowledge base space.
  • Arbitrary filesystem manipulation: Directory deletion at any path on the server where the application has write permissions.
  • Service disruption & Data Loss: Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem.

Fixes

The issue was addressed in PR #12243, which applies Path.resolve() to normalize the supplied path and validates that it starts with the authenticated user's directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using Path.isrelativeto() to prevent prefix-ambiguity bugs.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability:

  • @ddlxstudio
  • @nekros1xx

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q, https://github.com/langflow-ai/langflow

Severity

9.6

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.6
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
1.9.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading