Langflow vulnerable to Server-Side Request Forgery
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127[.]0[.]0[.]1, the 10/172/192 ranges) or cloud metadata endpoints (169[.]254[.]169[.]254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) can be invoked with just an API key, if an attacker can control the API Request URL in a flow, non-blind SSRF is possible—accessing internal resources from the server’s network context. This enables requests to, and collection of responses from, internal administrative endpoints, metadata services, and internal databases/services, leading to information disclosure and providing a foothold for further attacks. Version 1.7.0 contains a patch for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Langflow prior to 1.7.0 contains a non-blind SSRF vulnerability in its API Request component, allowing attackers with API key access to probe internal services and disclose sensitive information.
Vulnerability
Description
Langflow's API Request component issues arbitrary HTTP requests using a server-side httpx client. It performs only basic URL normalization and format checks without filtering private IP ranges (127.0.0.1, 10.x.x.x, 172.16-31.x.x, 192.168.x.x) or cloud metadata endpoints (169.254.169.254). This allows user-controlled URLs to reach internal network resources from the server's context [1][2].
Exploitation
Prerequisites
An attacker needs valid API key access to invoke the flow execution endpoints (/api/v1/run, /api/v1/run/advanced) and must be able to control the URL parameter of the API Request component within a flow. No additional authentication is required beyond the API key for the endpoint [1][2].
Impact
A successful non-blind SSRF attack enables an attacker to make HTTP requests to internal administrative interfaces, cloud metadata services, databases, and other services reachable from the Langflow server. The response body is returned, allowing information disclosure and providing a foothold for further lateral movement [1][2].
Mitigation
Version 1.7.0 of Langflow includes a patch that addresses this vulnerability. Users should upgrade to the latest version to block requests to private IP ranges and metadata endpoints [1][2].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langflowPyPI | < 1.7.1 | 1.7.1 |
Affected products
21.1.2, 1.1.3, 1.1.4, …+ 1 more
- (no CPE)range: 1.1.2, 1.1.3, 1.1.4, …
- (no CPE)range: <1.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5993-7p27-66g5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68477ghsaADVISORY
- github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.