Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/langflow-base@0.0.29

Type pypi

Namespace

Name langflow-base

Version 0.0.29

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-6y1z-b2ye-jkd6

vulnerability_id VCID-6y1z-b2ye-jkd6

summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-21445

reference_id

reference_type

scores

value	0.07998
scoring_system	epss
scoring_elements	0.92313
published_at	2026-06-14T12:55:00Z

value	0.07998
scoring_system	epss
scoring_elements	0.92308
published_at	2026-06-12T12:55:00Z

value	0.09015
scoring_system	epss
scoring_elements	0.92814
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-21445

reference_url

https://github.com/langflow-ai/langflow/releases/tag/1.7.1

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langflow-ai/langflow/releases/tag/1.7.1

reference_url

https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a

reference_id

3fed9fe1b5658f2c8656dbd73508e113a96e486a

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/

url

https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-21445

reference_id

CVE-2026-21445

reference_type

scores

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-21445

reference_url

https://github.com/advisories/GHSA-c5cp-vx83-jhqx

reference_id

GHSA-c5cp-vx83-jhqx

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c5cp-vx83-jhqx

reference_url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx

reference_id

GHSA-c5cp-vx83-jhqx

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-01-06T04:55:18Z/

url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx

fixed_packages

url pkg:pypi/langflow-base@0.7.1

purl pkg:pypi/langflow-base@0.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e9b3-3ks2-ukhy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@0.7.1

aliases CVE-2026-21445, GHSA-c5cp-vx83-jhqx

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6y1z-b2ye-jkd6

url VCID-e9b3-3ks2-ukhy

vulnerability_id VCID-e9b3-3ks2-ukhy

summary A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-6596

reference_id

reference_type

scores

value	0.00054
scoring_system	epss
scoring_elements	0.17336
published_at	2026-06-11T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17488
published_at	2026-06-14T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17516
published_at	2026-06-13T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.175
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-6596

reference_url

https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-6596

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-6596

reference_url

https://vuldb.com/vuln/358231

reference_id

358231

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/

url

https://vuldb.com/vuln/358231

reference_url

https://vuldb.com/submit/791919

reference_id

791919

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/

url

https://vuldb.com/submit/791919

reference_url

https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0

reference_id

c2aabfdee41009cfe45d28a9924742a0

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/

url

https://gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow::::::::
reference_id	cpe:2.3:a:langflow:langflow::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:langflow:langflow::::::::

reference_url

https://vuldb.com/vuln/358231/cti

reference_id

cti

reference_type

scores

value	7.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	5.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-20T14:54:09Z/

url

https://vuldb.com/vuln/358231/cti

reference_url

https://github.com/advisories/GHSA-vvfc-fp59-m92g

reference_id

GHSA-vvfc-fp59-m92g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vvfc-fp59-m92g

fixed_packages

url	pkg:pypi/langflow-base@1.9.1
purl	pkg:pypi/langflow-base@1.9.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@1.9.1

aliases CVE-2026-6596, GHSA-vvfc-fp59-m92g

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e9b3-3ks2-ukhy

url VCID-guzs-mx47-efcn

vulnerability_id VCID-guzs-mx47-efcn

summary

Langflow versions prior to 1.3.0 are susceptible to code injection in 
the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary
code.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-3248

reference_id

reference_type

scores

value	0.92853
scoring_system	epss
scoring_elements	0.99777
published_at	2026-06-11T12:55:00Z

value	0.92985
scoring_system	epss
scoring_elements	0.99788
published_at	2026-06-12T12:55:00Z

value	0.93155
scoring_system	epss
scoring_elements	0.99805
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-3248

reference_url

https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/langflow-ai/langflow/commit/faac4db133de32fcb6d483fa9ff52f40ce42bdc0

reference_url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7

reference_id

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-rvqx-wpfh-mfx7

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-3248

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-3248

reference_url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-3248

reference_url

https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai

reference_url

https://github.com/langflow-ai/langflow/releases/tag/1.3.0

reference_id

1.3.0

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/

url

https://github.com/langflow-ai/langflow/releases/tag/1.3.0

reference_url

https://github.com/langflow-ai/langflow/pull/6911

reference_id

6911

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/

url

https://github.com/langflow-ai/langflow/pull/6911

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt
reference_id	CVE-2025-3248
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52262.txt

reference_url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py
reference_id	CVE-2025-3248
reference_type	exploit
scores
url	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/webapps/52364.py

reference_url

https://github.com/advisories/GHSA-rvqx-wpfh-mfx7

reference_id

GHSA-rvqx-wpfh-mfx7

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rvqx-wpfh-mfx7

reference_url

https://www.vulncheck.com/advisories/langflow-unauthenticated-rce

reference_id

langflow-unauthenticated-rce

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/

url

https://www.vulncheck.com/advisories/langflow-unauthenticated-rce

reference_url

https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

reference_id

unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	Act
scoring_system	ssvc
scoring_elements	SSVCv2/E:A/A:Y/T:T/P:M/B:A/M:M/D:C/2025-08-15T19:50:13Z/

url

https://www.horizon3.ai/attack-research/disclosures/unsafe-at-any-speed-abusing-python-exec-for-unauth-rce-in-langflow-ai/

fixed_packages

url pkg:pypi/langflow-base@0.3.0

purl pkg:pypi/langflow-base@0.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6y1z-b2ye-jkd6

vulnerability	VCID-e9b3-3ks2-ukhy

vulnerability	VCID-hfhf-2k6v-sbcf

vulnerability	VCID-hrmb-buvy-kuh7

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@0.3.0

aliases CVE-2025-3248, GHSA-rvqx-wpfh-mfx7, PYSEC-2025-36

risk_score 10.0

exploitability 2.0

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-guzs-mx47-efcn

url VCID-hfhf-2k6v-sbcf

vulnerability_id VCID-hfhf-2k6v-sbcf

summary Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34046

reference_id

reference_type

scores

value	0.00054
scoring_system	epss
scoring_elements	0.17441
published_at	2026-06-13T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17413
published_at	2026-06-14T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17261
published_at	2026-06-11T12:55:00Z

value	0.00054
scoring_system	epss
scoring_elements	0.17426
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34046

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34046

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34046

reference_url

https://github.com/langflow-ai/langflow/pull/8956

reference_id

8956

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/

url

https://github.com/langflow-ai/langflow/pull/8956

reference_url

https://github.com/advisories/GHSA-8c4j-f57c-35cf

reference_id

GHSA-8c4j-f57c-35cf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8c4j-f57c-35cf

reference_url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf

reference_id

GHSA-8c4j-f57c-35cf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:57:05Z/

url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf

fixed_packages

url pkg:pypi/langflow-base@0.5.1

purl pkg:pypi/langflow-base@0.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6y1z-b2ye-jkd6

vulnerability	VCID-e9b3-3ks2-ukhy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@0.5.1

aliases CVE-2026-34046, GHSA-8c4j-f57c-35cf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hfhf-2k6v-sbcf

url VCID-hrmb-buvy-kuh7

vulnerability_id VCID-hrmb-buvy-kuh7

summary Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-57760

reference_id

reference_type

scores

value	0.00018
scoring_system	epss
scoring_elements	0.05208
published_at	2026-06-12T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05186
published_at	2026-06-14T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.05196
published_at	2026-06-11T12:55:00Z

value	0.00018
scoring_system	epss
scoring_elements	0.052
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-57760

reference_url

https://github.com/langflow-ai/langflow/pull/9152

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/langflow-ai/langflow/pull/9152

reference_url

http://github.com/langflow-ai/langflow/pull/9152

reference_id

9152

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/

url

http://github.com/langflow-ai/langflow/pull/9152

reference_url

https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97

reference_id

c188ec113c9ca46154ad01d0eded1754cc6bef97

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/

url

https://github.com/langflow-ai/langflow/commit/c188ec113c9ca46154ad01d0eded1754cc6bef97

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2025-57760
reference_id	CVE-2025-57760
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2025-57760

reference_url

https://github.com/advisories/GHSA-4gv9-mp8m-592r

reference_id

GHSA-4gv9-mp8m-592r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4gv9-mp8m-592r

reference_url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r

reference_id

GHSA-4gv9-mp8m-592r

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-08-25T20:34:06Z/

url

https://github.com/langflow-ai/langflow/security/advisories/GHSA-4gv9-mp8m-592r

fixed_packages

url pkg:pypi/langflow-base@0.5.1

purl pkg:pypi/langflow-base@0.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6y1z-b2ye-jkd6

vulnerability	VCID-e9b3-3ks2-ukhy

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@0.5.1

aliases CVE-2025-57760, GHSA-4gv9-mp8m-592r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hrmb-buvy-kuh7

Fixing_vulnerabilities

Risk_score 10.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/langflow-base@0.0.29

Package Instance