High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting Langflow and vLLM. In Langflow, CVE-2026-33497 impacts versions before 1.7.1 and stems from improper filtering of folder_name and file_name in the /profile_pictures/{folder_name}/{file_name} endpoint. The path traversal flaw (CWE-22) allows unauthenticated attackers to read files across directories, including the application's secret_key, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in Langflow 1.7.1 and tracked in GitHub advisory GHSA-ph9w-r52h-28p7.
A separate flaw in vLLM, CVE-2026-27893, can lead to remote code execution by bypassing a user's attempt to disable remote code trust. In versions from 0.10.1 up to but not including 0.18.0, two model implementation files hardcoded trust_remote_code=True, overriding the safer --trust-remote-code=False setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as CWE-693, was patched in vLLM 0.18.0, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
Timeline
Mar 27, 2026
vLLM 0.18.0 patches CVE-2026-27893
vLLM version 0.18.0 fixed the hardcoded trust_remote_code=True behavior in NemotronVL and KimiK25 model implementations. GitHub security advisories on the CVE referenced the fixing commit, pull request, and advisory.
Mar 27, 2026
vLLM discloses CVE-2026-27893 trust_remote_code bypass
A vulnerability in vLLM versions 0.10.1 through before 0.18.0 was disclosed after researchers found two model implementation files hardcoded trust_remote_code=True, overriding users' explicit security opt-out. This could enable remote code execution from malicious model repositories.
Mar 24, 2026
Langflow 1.7.1 patches CVE-2026-33497
Langflow version 1.7.1 was identified as containing the fix for CVE-2026-33497, addressing the file-reading issue in the profile picture download handler. The advisory references GitHub Security Advisory GHSA-ph9w-r52h-28p7.
Mar 24, 2026
Langflow discloses CVE-2026-33497 path traversal flaw
A path traversal vulnerability affecting Langflow versions before 1.7.1 was disclosed, involving insufficient filtering of folder_name and file_name in the /profile_pictures/{folder_name}/{file_name} endpoint. The flaw could allow attackers to read files across directories, including the application's secret_key.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
Critical Langflow RCE in Public Flow Endpoint Exploited Immediately
A critical **unauthenticated remote code execution** flaw in Langflow, tracked as `CVE-2026-33017`, allows attackers to execute arbitrary Python code through the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint. The vulnerability affects Langflow versions prior to `1.9.0` and stems from the application's handling of the optional `data` parameter, which can carry attacker-controlled flow definitions that are passed to `exec()` without sandboxing. The issue is separate from the earlier `CVE-2025-3248`, which involved authentication on a different endpoint. Security researchers reported exploitation beginning within 20 hours of public disclosure, with attackers scanning for exposed Langflow instances, stealing credentials and environment data, reading files including `/etc/passwd`, and attempting to fetch a follow-on payload from `173.212.205[.]251:8443`. The flaw requires no privileges or user interaction and carries high impact across confidentiality, integrity, and availability, underscoring the risk to AI workflow platforms that often hold sensitive data and integration secrets.
1 months ago
Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers **root access** and another that enables **arbitrary file write** through path traversal. **CVE-2026-3587** describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to `CWE-912` and assigned a `CVSS v3.1` score vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, with CERT VDE publishing advisory `VDE-2026-020`. A separate vulnerability, **CVE-2026-5027**, affects Langflow's `POST /api/v2/files` endpoint, where improper sanitization of the multipart `filename` parameter allows path traversal using `../` sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as `CWE-22`, carries the `CVSS v3.1` vector `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, and is referenced in Tenable advisory `TRA-2026-26`.
1 months ago
Critical vLLM Multimodal Endpoint Flaw Enables Pre-Auth Remote Code Execution via Malicious Video
**CVE-2026-22778** is a critical vulnerability in *vLLM* (an LLM inference/serving engine) that can enable **remote code execution (RCE)** when a server processes attacker-supplied multimodal content (e.g., a crafted video/image payload). The issue stems from vLLM returning a **PIL error** to the client when an invalid image is submitted to a multimodal endpoint, which **leaks a heap address** and dramatically weakens ASLR (reported as reducing brute-force from billions of guesses to ~8). This information disclosure can then be chained with a **heap overflow** in the **JPEG2000 decoder** within bundled **OpenCV/FFmpeg** components to hijack execution flow and run arbitrary commands on the host. Operational risk is elevated because many **default vLLM deployments** (including common `pip`/Docker installs) may be exposed without authentication, and reporting indicates exploitation may still be possible **pre-auth** even when API keys are enabled (via an “invocations” route). The vulnerability affects versions **0.8.3 through < 0.14.1** and is **fixed in vLLM 0.14.1**; remediation should prioritize upgrading to `>= 0.14.1` and reviewing exposure of multimodal endpoints, especially any internet-accessible instances.
1 months ago