Search for packages
| purl | pkg:pypi/langflow@1.0.0a37 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-16te-bm24-e3hu
Aliases: CVE-2024-37014 GHSA-qg33-x2c5-6p44 PYSEC-2024-177 |
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. |
Affected by 20 other vulnerabilities. |
|
VCID-1s44-7dfe-c7bq
Aliases: CVE-2024-9277 GHSA-355v-2rjx-fpx7 |
There are no reported fixed by versions. | |
|
VCID-22hm-534x-fyed
Aliases: CVE-2026-33873 GHSA-v8hw-mh8c-jxfc PYSEC-2026-82 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue. |
Affected by 1 other vulnerability. |
|
VCID-3kr1-vtdc-43hb
Aliases: CVE-2026-6598 GHSA-9jpj-cph8-w449 |
Affected by 0 other vulnerabilities. |
|
|
VCID-53es-gfv9-qugp
Aliases: CVE-2026-0770 GHSA-g22f-v6f7-2hrh |
Langflow affected by Remote Code Execution via validate_code() exec() Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | There are no reported fixed by versions. |
|
VCID-5q3j-kw8n-3ufk
Aliases: CVE-2025-57760 GHSA-4gv9-mp8m-592r |
Affected by 15 other vulnerabilities. |
|
|
VCID-9ant-8hr4-a7ak
Aliases: CVE-2026-27966 GHSA-3645-fxcv-hqr4 |
Langflow has Remote Code Execution in CSV Agent The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). | There are no reported fixed by versions. |
|
VCID-9vte-9ecr-quhw
Aliases: CVE-2026-33497 GHSA-ph9w-r52h-28p7 PYSEC-2026-81 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch. |
Affected by 10 other vulnerabilities. |
|
VCID-cf4w-2j9d-kqee
Aliases: CVE-2026-33017 GHSA-vwmf-pq79-vjvx |
There are no reported fixed by versions. | |
|
VCID-dsgg-w6zh-5fek
Aliases: CVE-2026-33053 GHSA-rf6x-r45m-xv3w PYSEC-2026-78 |
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion. |
Affected by 10 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-e43u-exka-akh6
Aliases: CVE-2026-6597 GHSA-5jjf-wcvf-923w |
Affected by 6 other vulnerabilities. |
|
|
VCID-f48g-ys3e-kfbe
Aliases: CVE-2026-6599 GHSA-v66p-f7x3-4794 |
Affected by 6 other vulnerabilities. |
|
|
VCID-h5t6-zh8q-nkhh
Aliases: CVE-2025-3248 GHSA-rvqx-wpfh-mfx7 PYSEC-2025-36 |
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
Affected by 17 other vulnerabilities. |
|
VCID-hu3f-1d7m-qfaq
Aliases: CVE-2026-21445 GHSA-c5cp-vx83-jhqx |
Langflow Missing Authentication on Critical API Endpoints Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. |
Affected by 10 other vulnerabilities. |
|
VCID-p558-xn8f-mff1
Aliases: CVE-2026-34046 GHSA-8c4j-f57c-35cf |
Affected by 15 other vulnerabilities. |
|
|
VCID-quy8-3rhy-wufd
Aliases: CVE-2025-68478 GHSA-f43r-cc68-gpx4 PYSEC-2025-125 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue. |
Affected by 14 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-txxh-vg3y-qqe4
Aliases: CVE-2025-68477 GHSA-5993-7p27-66g5 |
Langflow vulnerable to Server-Side Request Forgery **Vulnerability Overview** Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. **Vulnerable Code** 1. When a flow runs, the API Request URL is set via user input or tweaks, or it falls back to the value stored in the node UI. |
Affected by 10 other vulnerabilities. |
|
VCID-uewy-ce1y-z3hg
Aliases: CVE-2024-48061 GHSA-5p5r-57fx-pmfr |
Affected by 18 other vulnerabilities. |
|
|
VCID-uqbp-kmed-fyc8
Aliases: CVE-2025-34291 GHSA-577h-p2hh-v4mv PYSEC-2025-78 |
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise. |
Affected by 14 other vulnerabilities. |
|
VCID-x52s-wp7s-r7cg
Aliases: GHSA-c995-4fw3-j39m |
Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rvqx-wpfh-mfx7. This link is maintained to preserve external references. ### Original Description Langflow versions prior to 1.3.0 are susceptible to code injection in the `/api/v1/validate/code` endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
Affected by 17 other vulnerabilities. |
|
VCID-zgyu-re1q-wbcv
Aliases: CVE-2024-42835 GHSA-56m6-4mhw-h3g5 PYSEC-2024-279 |
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component. |
Affected by 20 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||