GHSA-79ph-745m-6wxq

Source

https://github.com/advisories/GHSA-79ph-745m-6wxq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-79ph-745m-6wxq/GHSA-79ph-745m-6wxq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-79ph-745m-6wxq

Aliases

CVE-2026-42867

Published

2026-06-16T17:35:09Z

Modified

2026-06-16T17:45:35.019676094Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Details

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem.

Details

The vulnerability exists in the create_knowledge_base function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kb_path.mkdir(). Immediately following the directory creation, the application writes embedding_metadata.json and schema.json into this attacker-controlled path.

PoC (Proof of Concept)

For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field:

../victim_user/evil_kb or /tmp/pwned

This forces kb_path.mkdir() to create directories and write specific application files (embedding_metadata.json and schema.json) at any reachable path on the server.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space. * Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g., /app/data). * Data overwrite: Overwriting existing embedding_metadata.json and schema.json files in attacker-targeted paths, potentially corrupting existing knowledge bases.

Fixes

The issue was addressed in PR #12337. The fix introduces the _validate_kb_path_containment() helper function, which uses Path.is_relative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2026-06-16T17:35:09Z",
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

PyPI / langflow

Package

Name: langflow; View open source insights on deps.dev
Purl: pkg:pypi/langflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.9.0

Affected versions

0.*

0.0.31

0.0.32

0.0.33

0.0.40

0.0.44

0.0.45

0.0.46

0.0.52

0.0.53

0.0.54

0.0.55

0.0.56

0.0.57

0.0.58

0.0.61

0.0.62

0.0.63

0.0.64

0.0.65

0.0.66

0.0.67

0.0.68

0.0.69

0.0.70

0.0.71

0.0.72

0.0.73

0.0.74

0.0.75

0.0.76

0.0.78

0.0.79

0.0.80

0.0.81

0.0.83

0.0.84

0.0.85

0.0.86

0.0.87

0.0.88

0.0.89

0.1.0

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.14

0.4.15

0.4.16

0.4.17

0.4.18

0.4.19

0.4.20

0.4.21

0.5.0a0

0.5.0a1

0.5.0a2

0.5.0a3

0.5.0a4

0.5.0a5

0.5.0a6

0.5.0b0

0.5.0b2

0.5.0b3

0.5.0b4

0.5.0b5

0.5.0b6

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.6.0rc1

0.6.0

0.6.1

0.6.2

0.6.3a0

0.6.3a1

0.6.3a2

0.6.3a3

0.6.3a4

0.6.3a5

0.6.3a6

0.6.3a7

0.6.3

0.6.4a0

0.6.4a1

0.6.4

0.6.5a0

0.6.5a1

0.6.5a2

0.6.5a3

0.6.5a4

0.6.5a5

0.6.5a6

0.6.5a7

0.6.5a8

0.6.5a9

0.6.5a10

0.6.5a11

0.6.5a12

0.6.5a13

0.6.5

0.6.6

0.6.7a1

0.6.7a2

0.6.7a3

0.6.7a5

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.14

0.6.15

0.6.16

0.6.17

0.6.18

0.6.19

1.*

1.0.0a0

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0a5

1.0.0a6

1.0.0a7

1.0.0a8

1.0.0a9

1.0.0a10

1.0.0a11

1.0.0a12

1.0.0a13

1.0.0a14

1.0.0a15

1.0.0a17

1.0.0a18

1.0.0a19

1.0.0a20

1.0.0a21

1.0.0a22

1.0.0a23

1.0.0a24

1.0.0a25

1.0.0a26

1.0.0a27

1.0.0a28

1.0.0a29

1.0.0a30

1.0.0a31

1.0.0a32

1.0.0a33

1.0.0a34

1.0.0a35

1.0.0a36

1.0.0a37

1.0.0a38

1.0.0a39

1.0.0a40

1.0.0a41

1.0.0a42

1.0.0a43

1.0.0a44

1.0.0a45

1.0.0a46

1.0.0a47

1.0.0a48

1.0.0a49

1.0.0a50

1.0.0a51

1.0.0a52

1.0.0a53

1.0.0a55

1.0.0a56

1.0.0a57

1.0.0a58

1.0.0a59

1.0.0a60

1.0.0a61

1.0.0rc0

1.0.0rc1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.19.post1

1.0.19.post2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.4.post1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.5.0.post1

1.5.0.post2

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0rc0

1.8.0rc1

1.8.0rc2

1.8.0rc3

1.8.0rc4

1.8.0rc5

1.8.0rc6

1.8.0

1.8.1

1.8.2

1.8.3rc0

1.8.3

1.8.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-79ph-745m-6wxq/GHSA-79ph-745m-6wxq.json"

last_known_affected_version_range

"<= 1.8.4"