VYPR
High severityOSV Advisory· Published Jan 2, 2026· Updated Feb 26, 2026

Langflow Missing Authentication on Critical API Endpoints

CVE-2026-21445

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
langflow-basePyPI
< 0.7.10.7.1
langflowPyPI
< 1.7.11.7.1

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

2