Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API

GHSA-vvfc-fp59-m92g · CVE-2026-6596

Published Apr 20, 2026 · Modified May 5, 2026

Description

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-6596
WEB https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
WEB https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
WEB https://vuldb.com/submit/791919
WEB https://vuldb.com/vuln/358231
WEB https://vuldb.com/vuln/358231/cti

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes