Critical Root Access and Arbitrary File Write Flaws Disclosed in Network-Exposed Systems
Two high-severity vulnerabilities were disclosed affecting exposed application and device management surfaces, including a flaw that can give attackers root access and another that enables arbitrary file write through path traversal. CVE-2026-3587 describes an unauthenticated remote attack path in a hidden CLI function that lets an attacker escape a restricted prompt and gain root access to the underlying Linux operating system, potentially leading to full device compromise. The issue was mapped to CWE-912 and assigned a CVSS v3.1 score vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, with CERT VDE publishing advisory VDE-2026-020.
A separate vulnerability, CVE-2026-5027, affects Langflow's POST /api/v2/files endpoint, where improper sanitization of the multipart filename parameter allows path traversal using ../ sequences. An authenticated attacker can exploit the bug to write files to arbitrary filesystem locations, creating a route to compromise confidentiality, integrity, and availability. The flaw was classified as CWE-22, carries the CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and is referenced in Tenable advisory TRA-2026-26.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Tenable records CVE-2026-5027 path traversal in Langflow
On 2026-03-27, CVE-2026-5027 was recorded with details of a path traversal flaw in Langflow's POST /api/v2/files endpoint that could let an authenticated attacker write files to arbitrary filesystem locations via the filename parameter. The vulnerability was classified as CWE-22, given a high-severity CVSS v3.1 score, and referenced in Tenable advisory TRA-2026-26.
CERT VDE receives and publishes CVE-2026-3587 advisory
On 2026-03-23, CERT VDE received and published details for CVE-2026-3587, a hidden CLI function vulnerability that allows an unauthenticated remote attacker to escape a restricted interface and gain root access on the underlying Linux-based device. The issue was assigned a high-severity CVSS v3.1 score and published under advisory VDE-2026-020.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unpatched Langflow Path Traversal Flaw Exploited for Unauthenticated RCE
Attackers are actively exploiting **CVE-2026-5027**, a high-severity path traversal vulnerability in the open-source AI application platform **Langflow**, to write files to arbitrary locations on target systems and potentially achieve remote code execution. The flaw affects the `POST /api/v2/files` endpoint, where the `filename` parameter is not properly sanitized, and exploitation is made more severe by Langflow's default unauthenticated auto-login behavior, which lets attackers obtain a valid session token with a single unauthenticated request. VulnCheck reported observed attacks writing apparent test files to victim hosts, while Tenable identified the issue and assigned it a **CVSS 8.8** score. Internet exposure increases the risk: Censys data indicates about **7,000** Langflow instances are reachable online, with the largest concentration in North America. The exploitation report also fits a broader pattern of sustained attacker interest in Langflow, with other vulnerabilities including **`CVE-2026-0770`**, **`CVE-2026-21445`**, **`CVE-2026-33017`**, and **`CVE-2025-34291`** also reported as exploited in 2026; the last has been linked in public reporting to the Iranian state-backed group **MuddyWater**. Separately, a newly disclosed flaw in **Roxy-WI** (**`CVE-2026-45556`**) shows a similar arbitrary file-write-to-RCE pattern on managed load balancers, but no public patch was available at publication.
Jun 11, 2026
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
Mar 27, 2026
Actively Exploited Langflow RCE Exposed AI Pipeline Secrets and Triggered CISA KEV Listing
Threat actors rapidly exploited **CVE-2026-33017**, a critical unauthenticated remote code execution flaw in Langflow’s public flow build endpoint, allowing arbitrary Python code to reach an unsandboxed `exec()` path with a single crafted request. The bug affects Langflow versions prior to **1.9.0** and stems from the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint accepting attacker-controlled flow data through an optional parameter. Researchers and vendor advisories said the issue is distinct from **CVE-2025-3248** because the vulnerable endpoint is intentionally public, meaning the fix required removing attacker-supplied flow data from that execution path rather than simply adding authentication. Sysdig and other researchers reported exploitation beginning within about **20 hours** of disclosure, with attackers scanning for exposed instances, validating code execution, reading files such as `.env`, `.db`, and `/etc/passwd`, stealing credentials, API keys, and database secrets, and attempting follow-on payload delivery from infrastructure including `173.212.205[.]251:8443`. The severity prompted **CISA** to add the flaw to its **Known Exploited Vulnerabilities** catalog and order federal agencies to remediate by **April 8, 2026** or discontinue use if they could not secure affected systems. Security guidance across the reports urged organizations to upgrade to **Langflow 1.9.0 or later**, restrict or remove internet exposure of the vulnerable endpoint, monitor outbound connections, and rotate secrets if compromise is suspected.
Jun 8, 2026