CVE-2026-3345: Path Traversal and Arbitrary File Write Vulnerability in IBM Langflow Desktop API v2 File Upload Endpoint
Published Apr 28, 2026
·Updated
IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
Affected Software
3 affected components
IBM Langflow Desktop<=1.8.4
IBM Langflow Desktop<=<=1.8.4
Langflow Langflow Desktop<=1.8.4
Remediation
Information
IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-8-desktopIf you are already using Langflow Desktop, upgrade in the application to version 1.9.0To install Langflow Desktop for the first time, visit Download Langflow Desktop.
Event History
Apr 28, 2026
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Apr 30, 2026
CVE Published
via MITRE·09:11 PM
Data Sourced
via MITRE·09:11 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·10:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-3345?
CVE-2026-3345 has been rated with a high severity level due to its potential for exploitation by remote attackers.
2
How do I fix CVE-2026-3345?
To fix CVE-2026-3345, update IBM Langflow Desktop to the latest version beyond 1.8.4.
3
What is the impact of CVE-2026-3345?
CVE-2026-3345 allows remote attackers to traverse directories and write arbitrary files to the system.
4
Who is affected by CVE-2026-3345?
IBM Langflow Desktop users with versions up to and including 1.8.4 are affected by CVE-2026-3345.
5
Is CVE-2026-3345 remotely exploitable?
Yes, CVE-2026-3345 is remotely exploitable as it involves sending specially crafted URL requests.