Search for packages
| purl | pkg:pypi/langflow@1.7.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-22hm-534x-fyed
Aliases: CVE-2026-33873 GHSA-v8hw-mh8c-jxfc PYSEC-2026-82 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue. |
Affected by 0 other vulnerabilities. |
|
VCID-53es-gfv9-qugp
Aliases: CVE-2026-0770 GHSA-g22f-v6f7-2hrh |
Langflow affected by Remote Code Execution via validate_code() exec() Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | There are no reported fixed by versions. |
|
VCID-dsgg-w6zh-5fek
Aliases: CVE-2026-33053 GHSA-rf6x-r45m-xv3w PYSEC-2026-78 |
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion. |
Affected by 0 other vulnerabilities. |
|
VCID-rnzn-x922-vkav
Aliases: CVE-2026-33309 GHSA-g2j9-7rj2-gm6c PYSEC-2026-79 |
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix. |
Affected by 0 other vulnerabilities. |
|
VCID-z1h6-t53p-77aj
Aliases: CVE-2026-33484 GHSA-7grx-3xcx-2xv5 PYSEC-2026-80 |
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||