Enterprises using the open-source AI orchestration platform The bug, which stems from improper handling of filenames in Langflow’s file upload functionality, can allow attackers to write files to arbitrary locations within the affected system and, under certain conditions, can be used to achieve remote code execution (RCE) on affected servers. An added complexity is that Langflow is shipping with an auto-login behavior, allowing unauthenticated users with a valid session to reach the vulnerab...

Read the original article