Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

CVE-2026-5027, a path traversal vulnerability in Langflow with a CVSS score of 8.8, is being actively exploited for unauthenticated remote code execution. The flaw allows attackers to write files to arbitrary locations via the POST /api/v2/files endpoint. Approximately 7,000 Langflow instances are publicly exposed, mostly in North America.