Langflow
by Langflow AI
Source repositories
CVEs (48)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-33017 | Cri | 0.77 | 9.8 | 0.98 | KEV | Mar 20, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the… | |
| CVE-2025-34291 | Hig | 0.65 | 8.8 | 0.79 | KEV | Dec 5, 2025 | Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as… | |
| CVE-2026-7524 | Cri | 0.57 | 9.8 | 0.01 | May 27, 2026 | IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction. | ||
| CVE-2026-33873 | Cri | 0.57 | 9.9 | 0.01 | Mar 27, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component… | ||
| CVE-2026-42048 | Cri | 0.55 | 9.6 | 0.04 | May 12, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly… | ||
| CVE-2026-55447 | cri | 0.52 | — | 0.00 | Jun 19, 2026 | ### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5.… | ||
| CVE-2026-55255 | cri | 0.52 | — | 0.00 | Jun 19, 2026 | ## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. ## Details The vulnerability exists in the… | ||
| CVE-2026-55450 | cri | 0.52 | — | 0.00 | Jun 17, 2026 | ### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the… | ||
| CVE-2026-48519 | cri | 0.52 | — | 0.01 | Jun 16, 2026 | ### Summary The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Shareable Playground… | ||
| CVE-2026-3357 | Hig | 0.50 | 8.8 | 0.00 | Apr 8, 2026 | IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component. | ||
| CVE-2026-34046 | Hig | 0.50 | 8.8 | 0.00 | Mar 27, 2026 | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was… | ||
| CVE-2026-7787 | Hig | 0.42 | 7.5 | 0.00 | Jun 11, 2026 | IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references. | ||
| CVE-2026-5025 | Med | 0.42 | 6.5 | 0.00 | Mar 27, 2026 | The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). | ||
| CVE-2026-7700 | Med | 0.41 | 6.3 | 0.00 | May 3, 2026 | A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be… | ||
| CVE-2026-7687 | Med | 0.41 | 6.3 | 0.02 | May 3, 2026 | A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can… | ||
| CVE-2026-7528 | Hig | 0.39 | 7.1 | 0.00 | May 27, 2026 | IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption. | ||
| CVE-2026-55446 | hig | 0.38 | — | 0.00 | Jun 19, 2026 | ### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details… | ||
| CVE-2026-33760 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary Langflow's `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted… | ||
| CVE-2026-6542 | Med | 0.35 | 6.5 | 0.00 | Apr 30, 2026 | IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow. | ||
| CVE-2026-5026 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2026 | The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when… |
- risk 0.77cvss 9.8epss 0.98
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the…
- risk 0.65cvss 8.8epss 0.79
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as…
- risk 0.57cvss 9.8epss 0.01
IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.
- risk 0.57cvss 9.9epss 0.01
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component…
- risk 0.55cvss 9.6epss 0.04
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly…
- risk 0.52cvss —epss 0.00
### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5.…
- risk 0.52cvss —epss 0.00
## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. ## Details The vulnerability exists in the…
- risk 0.52cvss —epss 0.00
### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the…
- risk 0.52cvss —epss 0.01
### Summary The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Shareable Playground…
- risk 0.50cvss 8.8epss 0.00
IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.
- risk 0.50cvss 8.8epss 0.00
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was…
- risk 0.42cvss 7.5epss 0.00
IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.
- risk 0.42cvss 6.5epss 0.00
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').
- risk 0.41cvss 6.3epss 0.00
A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be…
- risk 0.41cvss 6.3epss 0.02
A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can…
- risk 0.39cvss 7.1epss 0.00
IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.
- risk 0.38cvss —epss 0.00
### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details…
- risk 0.38cvss —epss 0.00
### Summary Langflow's `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted…
- risk 0.35cvss 6.5epss 0.00
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
- risk 0.35cvss 5.4epss 0.00
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when…
Page 1 of 3