python · langflowCritical
Langflow: Unauthenticated Arbitrary File Upload in POST /api/v1/upload/{flow_id}
The deprecated POST /api/v1/upload/{flow_id} endpoint lacked authentication and file size limits, allowing unauthenticated arbitrary file uploads leading to dis
What changed
The deprecated POST /api/v1/upload/{flow_id} endpoint lacked authentication and file size limits, allowing unauthenticated arbitrary file uploads leading to disk exhaustion and absolute path disclosure.
Who it affects
All Langflow instances prior to version 1.9.1 that expose the upload endpoint.
What to do today
Upgrade to Langflow 1.9.1 or later to enforce authentication, flow ownership, and max_file_size_upload limit.
The trail
Collected→
Audited→
Written→
Published