High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 20, 2026
Langflow has Missing Ownership Verification in API Key Deletion (IDOR)
CVE-2026-33053
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langflowPyPI | < 1.9.0 | 1.9.0 |
Affected products
2- Range: < 1.9.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-rf6x-r45m-xv3wghsaADVISORY
- github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7ghsaWEB
- github.com/langflow-ai/langflow/releases/tag/1.7.2ghsaWEB
- github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3wghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-78.yamlghsaWEB
News mentions
0No linked articles in our index yet.