PyPI package
langflow-base
pkg:pypi/langflow-base
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-6596 | Hig | 7.3 | < 0.9.1 | 0.9.1 | Apr 20, 2026 | A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to | |
| CVE-2026-34046 | Hig | 8.8 | < 0.5.1 | 0.5.1 | Mar 27, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `Fals | |
| CVE-2026-21445 | — | < 0.7.1 | 0.7.1 | Jan 2, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, tran | ||
| CVE-2025-57760 | — | < 0.5.1 | 0.5.1 | Aug 25, 2025 | Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user | ||
| CVE-2025-3248 | — | KEV | < 0.3.0 | 0.3.0 | Apr 7, 2025 | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
- affected < 0.9.1fixed 0.9.1
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to
- affected < 0.5.1fixed 0.5.1
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `Fals
- CVE-2026-21445Jan 2, 2026affected < 0.7.1fixed 0.7.1
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, tran
- CVE-2025-57760Aug 25, 2025affected < 0.5.1fixed 0.5.1
Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user
- affected < 0.3.0fixed 0.3.0
Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.