VulnerableCode Package Details - pkg:pypi/langflow-base@0.0.91

Search for packages

Vulnerability	Summary	Fixed by
VCID-1dek-kvzf-27d1 Aliases: CVE-2026-34046 GHSA-8c4j-f57c-35cf	Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check ## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - Read any other user's flow, including embedded plaintext API keys - Modify the logic of another user's AI agents - Delete flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) \| (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - [@chximn-dt](https://github.com/chximn-dt)	0.5.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-4xn4-uppj-hqcp Aliases: CVE-2026-6596 GHSA-vvfc-fp59-m92g	Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.	1.9.1 Affected by 0 other vulnerabilities.
VCID-fc5h-qc2t-xqc3 Aliases: CVE-2025-57760 GHSA-4gv9-mp8m-592r	Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE) A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account.	0.5.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qwtw-q92t-quhz Aliases: CVE-2026-21445 GHSA-c5cp-vx83-jhqx	Langflow Missing Authentication on Critical API Endpoints Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.	0.7.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wv26-29b9-vqgg Aliases: CVE-2025-3248 GHSA-rvqx-wpfh-mfx7 PYSEC-2025-36	Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.	0.3.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1dek-kvzf-27d1
Aliases:
CVE-2026-34046
GHSA-8c4j-f57c-35cf

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check ## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - **Read** any other user's flow, including embedded plaintext API keys - **Modify** the logic of another user's AI agents - **Delete** flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) | (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - **[@chximn-dt](https://github.com/chximn-dt)**

0.5.1
Affected by 2 other vulnerabilities.

VCID-4xn4-uppj-hqcp
Aliases:
CVE-2026-6596
GHSA-vvfc-fp59-m92g

Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

1.9.1
Affected by 0 other vulnerabilities.

VCID-fc5h-qc2t-xqc3
Aliases:
CVE-2025-57760
GHSA-4gv9-mp8m-592r

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE) A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account.

0.5.1
Affected by 2 other vulnerabilities.

VCID-qwtw-q92t-quhz
Aliases:
CVE-2026-21445
GHSA-c5cp-vx83-jhqx

Langflow Missing Authentication on Critical API Endpoints Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.

0.7.1
Affected by 1 other vulnerability.

VCID-wv26-29b9-vqgg
Aliases:
CVE-2025-3248
GHSA-rvqx-wpfh-mfx7
PYSEC-2025-36

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

0.3.0
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:14:10.624384+00:00	GitLab Importer	Affected by	VCID-4xn4-uppj-hqcp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langflow-base/CVE-2026-6596.yml	38.6.0
2026-06-06T07:37:12.470443+00:00	GitLab Importer	Affected by	VCID-1dek-kvzf-27d1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langflow-base/CVE-2026-34046.yml	38.6.0
2026-06-06T06:34:27.813171+00:00	GitLab Importer	Affected by	VCID-qwtw-q92t-quhz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langflow-base/CVE-2026-21445.yml	38.6.0
2026-06-06T06:00:43.523188+00:00	GitLab Importer	Affected by	VCID-fc5h-qc2t-xqc3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langflow-base/CVE-2025-57760.yml	38.6.0
2026-06-06T05:52:55.356490+00:00	GitLab Importer	Affected by	VCID-wv26-29b9-vqgg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/langflow-base/CVE-2025-3248.yml	38.6.0