Langflow: Four CVEs Disclosed Together — Two Critical, Including File-Read and IDOR Bugs
Langflow AI disclosed four vulnerabilities on June 19, 2026, including two critical bugs — arbitrary file read via BaseFileComponent nodes and an IDOR in the responses API — plus an unauthenticated DoS and a session-clearing flaw.
Key findings
- Two critical CVEs: arbitrary file read via BaseFileComponent nodes and IDOR in /api/v1/responses
- Unauthenticated DoS via oversized multipart boundary on /api/v1/files/upload/
- Logout button fails to clear access and refresh tokens from browser storage
- All four CVEs disclosed within a two-minute window on June 19, 2026
- No patch available yet; mitigations include network-level access restrictions
Four security vulnerabilities were disclosed together on June 19, 2026, in Langflow, the open-source low-code AI workflow builder from Langflow AI. The batch includes two critical-severity bugs — one enabling arbitrary file read via BaseFileComponent-based nodes and another exposing an Insecure Direct Object Reference (IDOR) in the responses API — plus a high-severity unauthenticated denial-of-service vector and a session-clearing flaw in the logout mechanism. The disclosures, published within a two-minute window, affect Langflow versions prior to the yet-to-be-announced patch release.
**Critical file-read and RCE chain in BaseFileComponent nodes** (CVE-2026-55447) targets six components that inherit from BaseFileComponent: Docling (DoclingInlineComponent), Docling Serve (DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and an unnamed sixth component. An attacker who can supply a crafted file path to any of these nodes can read arbitrary files from the server filesystem and, depending on the component's processing pipeline, escalate the primitive into remote code execution. Because Langflow workflows are built by chaining such components, a malicious flow designer — or an attacker who tricks a user into importing a malicious flow — can leverage this to exfiltrate credentials, configuration files, or model weights.
**IDOR in the /api/v1/responses endpoint** (CVE-2026-55255) allows an authenticated attacker to execute any flow belonging to another user simply by substituting the victim's flow ID in the request. The flaw lives in the get_flow_by_id_or_endpoint_name helper function, which fails to verify that the requesting user owns the target flow. Because Langflow is often deployed in multi-tenant environments — teams sharing a single instance — this bug could let one team member run another's flows without authorization, potentially triggering expensive AI model inference or accessing data pipelines the attacker should not touch.
Unauthenticated denial of service via multipart boundary (CVE-2026-55446) requires no credentials. An attacker sends a POST request to /api/v1/files/upload/ with an excessively long multipart form boundary string. The server spends unbounded resources parsing the boundary, making the Langflow application unusable for all users for an indefinite period. Since the endpoint is unauthenticated, any host on the network — or the public internet, if the instance is exposed — can trigger the DoS with a single HTTP request.
Logout does not clear session tokens (CVE-2026-55423). When a user clicks the logout button, the access_token_lf and refresh_token_lf tokens remain in both Local Storage and Cookies. On a shared machine (e.g., a kiosk or lab workstation), the next user who opens the browser is automatically logged in as the previous user. The bug is present in non-auto-login mode and was reproduced on localhost. While the severity is lower than the other three, it undermines a basic security guarantee of any web application.
Langflow AI has not yet released a patched version as of the disclosure date. Users are advised to restrict network access to the Langflow API endpoints — especially /api/v1/files/upload/ and /api/v1/responses — via firewall rules or reverse-proxy authentication, and to audit any flows that use BaseFileComponent-derived nodes. The session-clearing issue can be mitigated by manually clearing browser storage after each session until a fix ships.
This batch illustrates the risk surface of low-code AI platforms: file-handling components that double as file-read primitives, multi-tenant API endpoints that assume trust, and unauthenticated upload handlers that can be weaponized for DoS. Organizations running Langflow in production should treat these disclosures as a signal to review access controls and component trust boundaries ahead of the upcoming patch.