Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4xn4-uppj-hqcp
Vulnerability ID VCID-4xn4-uppj-hqcp
Aliases CVE-2026-6596
GHSA-vvfc-fp59-m92g
Summary Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-284 Improper Access Control
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00054 https://api.first.org/data/v1/epss?cve=CVE-2026-6596
epss 0.00054 https://api.first.org/data/v1/epss?cve=CVE-2026-6596
epss 0.00054 https://api.first.org/data/v1/epss?cve=CVE-2026-6596
cvssv2 7.5 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv3 7.3 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv3.1 7.3 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv3.1 7.3 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv4 5.5 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv4 6.9 https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
generic_textual MODERATE https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
ssvc Track https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vvfc-fp59-m92g
cvssv3.1 7.3 https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
cvssv4 5.5 https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
generic_textual MODERATE https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
cvssv3.1 7.3 https://nvd.nist.gov/vuln/detail/CVE-2026-6596
cvssv4 5.5 https://nvd.nist.gov/vuln/detail/CVE-2026-6596
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-6596
cvssv2 7.5 https://vuldb.com/submit/791919
cvssv3 7.3 https://vuldb.com/submit/791919
cvssv3.1 7.3 https://vuldb.com/submit/791919
cvssv3.1 7.3 https://vuldb.com/submit/791919
cvssv4 5.5 https://vuldb.com/submit/791919
cvssv4 6.9 https://vuldb.com/submit/791919
generic_textual MODERATE https://vuldb.com/submit/791919
ssvc Track https://vuldb.com/submit/791919
cvssv2 7.5 https://vuldb.com/vuln/358231
cvssv3 7.3 https://vuldb.com/vuln/358231
cvssv3.1 7.3 https://vuldb.com/vuln/358231
cvssv3.1 7.3 https://vuldb.com/vuln/358231
cvssv4 5.5 https://vuldb.com/vuln/358231
cvssv4 6.9 https://vuldb.com/vuln/358231
generic_textual MODERATE https://vuldb.com/vuln/358231
ssvc Track https://vuldb.com/vuln/358231
cvssv2 7.5 https://vuldb.com/vuln/358231/cti
cvssv3 7.3 https://vuldb.com/vuln/358231/cti
cvssv3.1 7.3 https://vuldb.com/vuln/358231/cti
cvssv3.1 7.3 https://vuldb.com/vuln/358231/cti
cvssv4 5.5 https://vuldb.com/vuln/358231/cti
cvssv4 6.9 https://vuldb.com/vuln/358231/cti
generic_textual MODERATE https://vuldb.com/vuln/358231/cti
ssvc Track https://vuldb.com/vuln/358231/cti
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-6596
https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
https://nvd.nist.gov/vuln/detail/CVE-2026-6596
https://vuldb.com/submit/791919
https://vuldb.com/vuln/358231
https://vuldb.com/vuln/358231/cti
cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
GHSA-vvfc-fp59-m92g https://github.com/advisories/GHSA-vvfc-fp59-m92g
No exploits are available.
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/ Found at https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-6596
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://nvd.nist.gov/vuln/detail/CVE-2026-6596
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR Found at https://vuldb.com/submit/791919
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/submit/791919
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/submit/791919
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://vuldb.com/submit/791919
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/submit/791919
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/submit/791919
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/ Found at https://vuldb.com/submit/791919
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR Found at https://vuldb.com/vuln/358231
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/vuln/358231
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/vuln/358231
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://vuldb.com/vuln/358231
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/vuln/358231
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/vuln/358231
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/ Found at https://vuldb.com/vuln/358231
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR Found at https://vuldb.com/vuln/358231/cti
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/vuln/358231/cti
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Found at https://vuldb.com/vuln/358231/cti
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://vuldb.com/vuln/358231/cti
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/vuln/358231/cti
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P Found at https://vuldb.com/vuln/358231/cti
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/ Found at https://vuldb.com/vuln/358231/cti
Exploit Prediction Scoring System (EPSS)
Percentile 0.17355
EPSS Score 0.00054
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:53:39.965105+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-vvfc-fp59-m92g/GHSA-vvfc-fp59-m92g.json 38.6.0