CVE Catalog

CVE-2026-55447

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.2, an attacker could control files processed by RAG, allowing them to read any file on the file system using an absolute path.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized access to sensitive data on the server, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade to version 1.9.2 or later to mitigate this vulnerability and conduct a security audit of the system.

Original NVD description (English source)

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS