CVE-2026-33309 - Vulnerability Analysis
CriticalCVSS: 9.9Last Updated: March 24, 2026
Langflow - Arbitrary File Write & Remote Code Execution
Published: March 24, 2026Updated: March 24, 2026Remote Exploitable
Overview
Langflow 1.2.0 through 1.8.1 contains an arbitrary file write vulnerability caused by bypass of filename validation in LocalStorageService, letting authenticated attackers write files anywhere on the host, leading to remote code execution.
Severity & Score
Severity: Critical
CVSS Score: 9.9
Impact
Authenticated attackers can write arbitrary files on the host, potentially leading to remote code execution and full system compromise.
Mitigation
Upgrade to version 1.9.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-33309
- Severity
- Critical
- CVSS Score
- 9.9
- Type
- unrestricted_file_upload
- Status
- unconfirmed
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H