CVE-2026-42867 is a medium-severity path traversal vulnerability in langflow (pip), affecting versions <= 1.8.4. It is fixed in 1.9.0.
Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledgebases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem. Details The vulnerability exists in the createknowledgebase function within src/backend/base/langflow/api/v1/knowledgebases.py. This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kbpath.mkdir(). Immediately following the directory creation, the application writes embeddingmetadata.json and schema.json into this attacker-controlled path. PoC (Proof of Concept) For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field: ../victimuser/evilkb or /tmp/pwned This forces kbpath.mkdir() to create directories and write specific application files (embeddingmetadata.json and schema.json) at any reachable path on the server. Impact Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space. Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g., /app/data). Data overwrite: Overwriting existing embeddingmetadata.json and schema.json files in attacker-targeted paths, potentially corrupting existing knowledge bases. Fixes The issue was addressed in PR #12337. The fix introduces the validatekbpathcontainment() helper function, which uses Path.isrelative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden. Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: @ddlxstudio @nekros1xx
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
CVE-2026-42867 has a CVSS score of 6.5 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.9.0). Upgrading removes the vulnerable code path.
pip
langflow (<= 1.8.4)langflow → 1.9.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-42867 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-42867 is reachable in your applications. Get a demo
Upgrade langflow to 1.9.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-42867 is a medium-severity path traversal vulnerability in langflow (pip), affecting versions <= 1.8.4. It is fixed in 1.9.0. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
CVE-2026-42867 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langflow (pip) versions <= 1.8.4 is affected.
Yes. CVE-2026-42867 is fixed in 1.9.0. Upgrade to this version or later.
Whether CVE-2026-42867 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langflow to 1.9.0 or later.