# [CRIT] [GHSA / CRITICAL] CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit **Source:** GitHub Security Advisories **Published:** 2026-06-19 **Article:** https://github.com/advisories/GHSA-ccv6-r384-xp75 ## Threat Profile Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit ### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5. Video File (`VideoFileComponent`) 6. Unstructured API (`UnstructuredComponent`) For clarity, from now on I'll only refer to Read File component. … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-55447` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1659** — Content Injection - **T1552.001** — Unsecured Credentials: Credentials In Files - **T1083** — File and Directory Discovery - **T1059.006** — Command and Scripting Interpreter: Python - **T1059.004** — Command and Scripting Interpreter: Unix Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Langflow file-ingestion endpoint receives archive/bundle upload (CVE-2026-55447 delivery) `UC_7_2` · phase: **delivery** · confidence: **Low** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.http_method=POST (Web.url="*/api/v1/files/upload*" OR Web.url="*/api/v2/files*") by Web.src Web.dest Web.url Web.http_user_agent Web.status | `drop_dm_object_name(Web)` | convert ctime(firstTime) ctime(lastTime) | sort - count ``` ### Langflow worker reads secret_key / credential files via symlink TAR traversal (CVE-2026-55447) `UC_7_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*/etc/shadow*" OR Filesystem.file_path="*/etc/passwd*" OR Filesystem.file_path="*/.ssh/*" OR Filesystem.file_path="*id_rsa*" OR Filesystem.file_path="*/.aws/credentials*" OR Filesystem.file_path="*secret_key*" OR Filesystem.file_path="*private_key.pem*") by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.file_name Filesystem.action | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) | sort - lastTime ``` ### Langflow Python worker spawns shell / recon child process (CVE-2026-55447 Python Interpreter RCE) `UC_7_4` · phase: **exploit** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=python* OR Processes.parent_process_name=uvicorn* OR Processes.parent_process_name=gunicorn*) Processes.parent_process="*langflow*" (Processes.process_name IN ("sh","bash","dash","zsh","curl","wget","nc","ncat","netcat","whoami","id","uname","hostname","base64","chmod","crontab")) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) | sort - lastTime ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has_any ("python", "python3", "uvicorn", "gunicorn") | where InitiatingProcessCommandLine has "langflow" or InitiatingProcessFolderPath has "langflow" | where FileName in~ ("sh", "bash", "dash", "zsh", "curl", "wget", "nc", "ncat", "netcat", "whoami", "id", "uname", "hostname", "base64", "chmod", "crontab") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath, SHA256 | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitr `UC_7_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitr ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/tmp/trip.docx*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitr // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/tmp/trip.docx")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-55447` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.