UNIX Symbolic Link (Symlink) Following Affecting lfx package, versions [,0.4.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.41% (33rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-LFX-17400345
  • published22 Jun 2026
  • disclosed19 Jun 2026
  • creditOri Lahav

Introduced: 19 Jun 2026

NewCVE-2026-55447  (opens in a new tab)
CWE-61  (opens in a new tab)

How to fix?

Upgrade lfx to version 0.4.2 or higher.

Overview

lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run.

Affected versions of this package are vulnerable to UNIX Symbolic Link (Symlink) Following via the BaseFileComponent._unpack_bundle function. An attacker can access arbitrary files and execute code by uploading a crafted tar archive containing symlinks that point to sensitive files, such as authentication secrets, which can then be leveraged to bypass authentication and execute arbitrary Python code.

CVSS Base Scores

version 4.0
version 3.1