A critical path traversal vulnerability (CVE-2026-42048) was disclosed in Langflow's Knowledge Bases API on 2026-05-05...

A critical path traversal vulnerability (CVE-2026-42048) was disclosed in Langflow's Knowledge Bases API on 2026-05-05 (OSV advisory). The advisory rates it as severe, potentially allowing unauthorized file access. Despite subsequent PyPI releases (1.9.5 on 2026-05-29, 1.9.6rc0 on 2026-06-01, 1.9.6 on 2026-06-02), there is no explicit mention of a fix in the release notes. The vulnerability undermines trust in Langflow for production AI workflows, especially given its marketing emphasis on 'enterprise-grade, secure cloud platform' (Langflow IR snapshot). Users relying on Langflow for sensitive data processing face immediate risk. The lack of a confirmed patch within weeks after disclosure is concerning and likely drives developer ecosystem drift away from Langflow.