A security advisory published May 5, 2026 (OSV) reveals CVE-2026-42048, a path traversal vulnerability in Langflow's...

A security advisory published May 5, 2026 (OSV) reveals CVE-2026-42048, a path traversal vulnerability in Langflow's Knowledge Bases API (OSV advisory). This could allow attackers to read arbitrary files on the server, impacting users who deploy Langflow with the Knowledge Bases feature. The advisory notes that the vulnerability affects Langflow versions prior to a yet-to-be-disclosed patch. Despite active development (PyPI releases 1.9.4, 1.9.5, and release candidate 1.9.6rc0 in late May 2026), the security issue remains unaddressed in the stable channel. This lowers trust in Langflow's security posture for production deployments, especially among enterprises evaluating it for AI workflow automation. The risk is amplified by Langflow's marketing as a tool for 'production' and 'enterprise-grade cloud' deployment, as seen on their landing page (Langflow IR snapshot). Until a fix is issued, Langflow users should exercise caution. This incident signals a potential slowdown in enterprise adoption.