Medium severity5.3NVD Advisory· Published Mar 27, 2026· Updated Apr 20, 2026
CVE-2026-5022
CVE-2026-5022
Description
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- cpe:2.3:a:langflow:langflow:-:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
1- www.tenable.com/security/research/tra-2026-23nvdVendor Advisory
News mentions
0No linked articles in our index yet.