Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. "The 'POST /

According to The Hacker News and follow-on coverage, CVE-2026-5027 is a high-severity path traversal flaw in Langflow that allows attackers to write files to arbitrary locations, enabling unauthenticated remote code execution when combined with Langflow’s default auto-login and exposed internet-facing instances.[1][2][3] Reports indicate that thousands of Langflow deployments are accessible online and the vulnerability is under active exploitation in the wild.[1][3] From a CyberSE.AI perspective, this represents an AI supply chain and platform risk: organizations relying on Langflow to build or host AI applications could have their AI agents and underlying infrastructure compromised, leading to code execution, data exposure, or model tampering if instances are unpatched or misconfigured. Security teams should rapidly inventory Langflow usage, apply any available fixes or compensating controls, restrict exposure of Langflow interfaces, and integrate SBOM-based monitoring and patch management for AI frameworks into their broader supply chain security program.