Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers root access and another that enables arbitrary file write through path traversal. CVE-2026-3587 describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to CWE-912 and assigned a CVSS v3.1 score vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, with CERT VDE publishing advisory VDE-2026-020.
A separate vulnerability, CVE-2026-5027, affects Langflow's POST /api/v2/files endpoint, where improper sanitization of the multipart filename parameter allows path traversal using ../ sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as CWE-22, carries the CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and is referenced in Tenable advisory TRA-2026-26.
Timeline
Mar 27, 2026
Tenable records CVE-2026-5027 path traversal in Langflow
On 2026-03-27, CVE-2026-5027 was recorded with details of a path traversal flaw in Langflow's POST /api/v2/files endpoint that could let an authenticated attacker write files to arbitrary filesystem locations via the filename parameter. The vulnerability was classified as CWE-22, given a high-severity CVSS v3.1 score, and referenced in Tenable advisory TRA-2026-26.
Mar 23, 2026
CERT VDE receives and publishes CVE-2026-3587 advisory
On 2026-03-23, CERT VDE received and published details for CVE-2026-3587, a hidden CLI function vulnerability that allows an unauthenticated remote attacker to escape a restricted interface and gain root access on the underlying Linux-based device. The issue was assigned a high-severity CVSS v3.1 score and published under advisory VDE-2026-020.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago
Critical Langflow RCE in Public Flow Endpoint Exploited Immediately
A critical **unauthenticated remote code execution** flaw in Langflow, tracked as `CVE-2026-33017`, allows attackers to execute arbitrary Python code through the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint. The vulnerability affects Langflow versions prior to `1.9.0` and stems from the application's handling of the optional `data` parameter, which can carry attacker-controlled flow definitions that are passed to `exec()` without sandboxing. The issue is separate from the earlier `CVE-2025-3248`, which involved authentication on a different endpoint. Security researchers reported exploitation beginning within 20 hours of public disclosure, with attackers scanning for exposed Langflow instances, stealing credentials and environment data, reading files including `/etc/passwd`, and attempting to fetch a follow-on payload from `173.212.205[.]251:8443`. The flaw requires no privileges or user interaction and carries high impact across confidentiality, integrity, and availability, underscoring the risk to AI workflow platforms that often hold sensitive data and integration secrets.
1 months ago
File Write and Path Traversal Flaws Expose AGiXT and Bugsink to Server Compromise
Two application vulnerabilities have exposed AGiXT and Bugsink servers to filesystem-level attacks that can lead to full host compromise. In AGiXT, advisory `GHSA-5gfj-64gh-mgmw` describes an authenticated path traversal flaw in the Essential Abilities Extension, rated **CVSS 8.8**, that lets an attacker escape intended directories and access files with the permissions of the AGiXT process. The issue allows arbitrary read, write, and delete operations against sensitive targets including environment files, configuration data, database credentials, cryptographic keys, `/etc/shadow`, and `.ssh/id_rsa`, creating high risk to confidentiality, integrity, and availability. A separate flaw tracked as `CVE-2026-40162` affects Bugsink and enables authenticated arbitrary file write or overwrite within the application's runtime permissions, with a **CVSS 7.1** rating. The weakness can be used to overwrite Python source files or module initialization scripts so attacker-controlled code executes on restart or when a new worker is spawned, effectively turning file access into remote code execution. Both disclosures warn that deployments running with elevated privileges or broad filesystem access face the greatest danger, including persistence through locations such as cron directories, `.ssh/authorized_keys`, or application package paths, as well as exposure of secrets, telemetry, and backend credentials.
3 weeks ago