CVE-2026-55447 is a critical-severity security vulnerability in langflow (pip), affecting versions < 1.9.2. It is fixed in 1.9.2.
Summary All components based on BaseFileComponent are vulnerable to the following vulnerability: Docling (DoclingInlineComponent) Docling Serve (DoclingRemoteComponent) Read File (FileComponent) NVIDIA Retriever Extraction (NvidiaIngestComponent) Video File (VideoFileComponent) Unstructured API (UnstructuredComponent) For clarity, from now on I'll only refer to Read File component. The Read File node processes user-controlled files. Example scenario is a RAG chatbot - a system that allows users of an organization to ask questions about documents saved in the organizations. By controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. Using this vulnerability an attacker can acheive RCE: Upload a file that directs the node to read Langflow's secretkey file containing the JWT token secret. This would allow the attacker then to simply task the Chatbot for the JWT secret. Using this secret, the attacker then crafts a JWT token for any user-id, bypassing authentication. Code execution is then trivial - simply create a new flow with "Python Interpreter" node, fill it with arbitrary Python code and execute it. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe Details The vulnerability is in: langflow/src/lfx/src/lfx/base/data/basefile.py Specifically in unpackbundle. This function extracts tar files, which can contain a symlink. This symlink can point to any file in the filesystem. Then, in self.processfiles(), the file pointed by the symlink will be parsed and saved into the RAG. This can be done with unlimited number of symlinks in the same tar which can also be useful in some scenarios. Suggestd fix - iterate over the files and make sure all are regular files or directories. PoC Reproduction: Create a flow with Read File (or any other affected components), and connect its output to some storage such as Chroma DB. Create a symlink pointing to any file. For the above exploit, point the symlink to langflow's JWT token file. Compress this symlink with tar. Upload it to the Read File component. Check the database, or ask a Chatbot connected to this vector database for the contents of the file. Concrete PoC: Flow with RAG ingestion and a Chatbot around it: Vector Store RAG.json Exploit tar: archive.tar.txt (remove .txt, GitHub blocked .tar) Create a file /tmp/trip.docx with any contents in it Ingest the file in the flow above, and ask the Chatbot a question about this file. A demo showing the attack: https://github.com/user-attachments/assets/af00f700-f13f-4eac-848e-8afd11fb9297 In the demo the attacker steals Langflow secret key used to sign JWTs. The second stage of the attack, not shown in the demo, is using this key to sign a JWT token and executing Python code on the server using the Python code interpreter node. Impact Any Langflow user using any of the above mentioned components to ingest user-controlled data is affected. Depending on exact scenario, the user can also be exposed to an RCE risk. Patches Fixed in 1.9.2 via PR #12945. BaseFileComponent.unpack_bundle now rejects symlink and hardlink members (and any non-regular entries) during TAR extraction, with additional defensive symlink filtering during directory recursion and after extraction. Upgrade to 1.9.2 or later. Ori Lahav Security Researcher @ Rubrik Inc.
CVE-2026-55447 has a CVSS score of 9.6 (Critical). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.9.2). Upgrading removes the vulnerable code path.
pip
langflow (< 1.9.2)langflow → 1.9.2 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55447 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55447 is reachable in your applications. Get a demo
Upgrade langflow to 1.9.2 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55447 is a critical-severity security vulnerability in langflow (pip), affecting versions < 1.9.2. It is fixed in 1.9.2.
CVE-2026-55447 has a CVSS score of 9.6 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langflow (pip) versions < 1.9.2 is affected.
Yes. CVE-2026-55447 is fixed in 1.9.2. Upgrade to this version or later.
Whether CVE-2026-55447 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langflow to 1.9.2 or later.