Search for packages
| purl | pkg:pypi/langflow-base@0.5.1 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4xn4-uppj-hqcp
Aliases: CVE-2026-6596 GHSA-vvfc-fp59-m92g |
Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 0 other vulnerabilities. |
|
VCID-qwtw-q92t-quhz
Aliases: CVE-2026-21445 GHSA-c5cp-vx83-jhqx |
Langflow Missing Authentication on Critical API Endpoints Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1dek-kvzf-27d1 | Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check ## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - **Read** any other user's flow, including embedded plaintext API keys - **Modify** the logic of another user's AI agents - **Delete** flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) | (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - **[@chximn-dt](https://github.com/chximn-dt)** |
CVE-2026-34046
GHSA-8c4j-f57c-35cf |
| VCID-fc5h-qc2t-xqc3 | Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE) A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. |
CVE-2025-57760
GHSA-4gv9-mp8m-592r |