Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: path-traversal (2 articles)Clear

Attackers exploit unpatched Langflow flaw for unauthenticated code execution

VulnCheck reports that attackers are actively exploiting an unpatched flaw in Langflow, a popular open-source platform for building AI applications. The bug (CVE-2026-5027, rated 8.8) is a path-traversal weakness: the file-upload endpoint does not clean the supplied filename, so an attacker can use directory-climbing sequences to write files anywhere on the server, a foothold that leads to remote code execution. Tenable, which found it, says the maintainers did not respond after three contact attempts in early 2026, and there is still no official fix. Early exploitation appears to be probing, with attackers writing harmless test files, but that usually precedes heavier attacks.

Check
Identify any internet-facing Langflow instances, confirm the version, and review the server filesystem and web logs for unexpected files written via the /api/v2/files upload endpoint.
Affected
Internet-exposed Langflow deployments where the file-upload endpoint is reachable (CVE-2026-5027). No vendor patch is available yet, and active exploitation is already under way.
Fix
Until a fix ships, take Langflow off the public internet or place it behind authentication and a WAF that blocks path-traversal payloads, and restrict the upload endpoint.

Critical unauthenticated path traversal in CrowdStrike LogScale lets remote attackers read any file on the server (CVE-2026-40050, CVSS 9.8)

CrowdStrike disclosed CVE-2026-40050 on April 21, a critical unauthenticated path traversal in a specific cluster API endpoint of self-hosted LogScale (formerly Humio). CVSS 9.8. A remote attacker who can reach the endpoint can read arbitrary files from disk - including config files, certificates, embedded credentials, and the very logs the platform was deployed to protect. CrowdStrike found the bug through internal product testing and applied network-layer blocks across all SaaS clusters on April 7. Self-hosted customers must patch themselves. There is no evidence of in-the-wild exploitation yet.

Check
Check every self-hosted CrowdStrike LogScale instance today and patch immediately - and verify the cluster API endpoint is not reachable from anywhere it shouldn't be.
Affected
CrowdStrike LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 inclusive, plus LTS versions 1.228.0 and 1.228.1. CVE-2026-40050, CVSS 9.8 (CWE-22 path traversal plus CWE-306 missing authentication). LogScale SaaS deployments and Next-Gen SIEM customers are not exposed - SaaS was already mitigated April 7 at the network layer.
Fix
Upgrade to LogScale Self-Hosted 1.235.1+ (GA) or 1.228.2 (LTS). Restrict the cluster API endpoint to internal management networks - it should never be internet-facing or general-VLAN reachable. Audit web-access logs for traversal patterns (..%2F, ../, encoded variants). Rotate any credentials, certificates, or tokens that may have been on disk on the LogScale host during the vulnerable window.