VYPR
← All advisories
High severity8.8GHSA Advisory· Published Jun 16, 2026· Updated Jun 16, 2026

Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints

CVE-2026-33760

Description

Langflow's monitor API lacks ownership checks on 7 endpoints, allowing any authenticated user to read, modify, or delete another user's data via IDOR/BOLA.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Langflow's monitor API lacks ownership checks on 7 endpoints, allowing any authenticated user to read, modify, or delete another user's data via IDOR/BOLA.

Vulnerability

Langflow's /api/v1/monitor router (file src/backend/base/langflow/api/v1/monitor.py) exposes seven endpoints that perform read, write, and delete operations on user-owned resources—messages, sessions, build artifacts, and LLM transaction logs—without verifying that the authenticated requester owns the targeted resource. The correct ownership check (joining MessageTable with Flow and filtering by Flow.user_id == current_user.id) is implemented only in the GET /monitor/messages endpoint, demonstrating the pattern was known but inconsistently applied. All versions prior to the fix are affected [1][2].

Exploitation

An attacker needs only a valid authenticated session to Langflow. By supplying the target's resource ID (e.g., flow_id, message_id) to any of the vulnerable endpoints, the attacker can read, modify, rename, or permanently delete another user's data. No special privileges or user interaction beyond authentication is required. For example, sending a DELETE request to /api/v1/monitor/messages with a list of arbitrary message_ids will delete those messages without ownership verification [1][2].

Impact

Successful exploitation allows an authenticated attacker to access, alter, or destroy another user's private data, including messages, session information, build artifacts, and LLM transaction logs. This constitutes a breach of confidentiality, integrity, and availability (CIA) for the targeted user's resources. The attacker gains the same level of access as the legitimate owner, effectively bypassing authorization controls [1][2].

Mitigation

The advisory (GHSA-9c59-2mvc-vfr8) recommends applying the ownership check pattern used in the GET /monitor/messages endpoint to all seven vulnerable endpoints. As of the publication date (2026-06-16), a fixed version has not been explicitly mentioned in the available references; users should monitor the Langflow repository for a patch. No workaround is provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the advisory date [1][2].

References
  1. CVE-2026-33760 - GitHub Advisory Database
  2. IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints

AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Seven endpoints under /api/v1/monitor accept a user-supplied resource identifier (flow_id, message_id, or session_id) but never verify the authenticated requester owns the targeted resource via a join to the Flow table and a filter on Flow.user_id."

Attack vector

An attacker must be authenticated (any registered user) and know the victim's `flow_id` or message/session UUID. The attacker supplies that identifier to one of seven unprotected endpoints under `/api/v1/monitor` [ref_id=1][ref_id=2]. Because the endpoints perform read, write, rename, or delete operations directly on `MessageTable`, `TransactionTable`, or `VertexBuildTable` without joining to the `Flow` table and filtering by `Flow.user_id == current_user.id`, the attacker operates on another user's data. This is a classic Insecure Direct Object Reference (IDOR) / Broken Object Level Authorization (BOLA) vulnerability.

Affected code

The vulnerable endpoints are in `src/backend/base/langflow/api/v1/monitor.py`. The advisory [ref_id=1][ref_id=2] identifies seven endpoints (GET and DELETE `/monitor/builds`, `GET`,`PUT`,`DELETE`,`PATCH` `/monitor/messages`, `DELETE` `/monitor/messages/session/{session_id}`, `PATCH` `/monitor/messages/session/{old_session_id}`, GET `/monitor/transactions`) that accept a `flow_id` or resource ID from the attacker but never filter by `Flow.user_id == current_user.id`.

What the fix does

The advisory [ref_id=1][ref_id=2] does not provide a patch diff but describes the correct pattern already present at `GET /monitor/messages` lines 77–80: each vulnerable endpoint must be updated to join the target table with the `Flow` table and add a `WHERE Flow.user_id == current_user.id` clause. For example, `GET /monitor/transactions` must join `TransactionTable.flow_id` to `Flow.id` and filter by `Flow.user_id == current_user.id` instead of selecting by `TransactionTable.flow_id == flow_id` alone. Until the fix is applied, no ownership enforcement exists on the 7 endpoints.

Preconditions

  • authThe attacker must have a valid authenticated session (any registered account)
  • inputThe attacker must know the victim's flow_id, message_id, or session_id (obtainable via enumeration or brute-force of UUIDs)
  • configThe target Langflow deployment must have multiple users (team instances, SaaS, or enterprise self-hosted)
  • networkThe /api/v1/monitor endpoints must be network-accessible

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.