VYPR

Vendor CVEs

Langflow AI

All CVEs

55 total · sorted by risk
  • CVE-2026-33017CriKEVMar 20, 2026
    risk 0.77cvss 9.8epss 0.98

    Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the…

  • CVE-2025-34291HigKEVDec 5, 2025
    risk 0.65cvss 8.8epss 0.79

    Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as…

  • CVE-2026-7524CriMay 27, 2026
    risk 0.57cvss 9.8epss 0.01

    IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extraction.

  • CVE-2026-6543HigApr 30, 2026
    risk 0.57cvss 8.8epss 0.00

    IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks…

  • CVE-2026-33873CriMar 27, 2026
    risk 0.57cvss 9.9epss 0.01

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component…

  • CVE-2026-42048CriMay 12, 2026
    risk 0.55cvss 9.6epss 0.04

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly…

  • CVE-2026-55447criJun 19, 2026
    risk 0.52cvss epss 0.00

    ### Summary All components based on `BaseFileComponent` are vulnerable to the following vulnerability: 1. Docling (`DoclingInlineComponent`) 2. Docling Serve (`DoclingRemoteComponent`) 3. Read File (`FileComponent`) 4. NVIDIA Retriever Extraction (`NvidiaIngestComponent`) 5.…

  • CVE-2026-55255criJun 19, 2026
    risk 0.52cvss epss 0.00

    ## Summary Insecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. ## Details The vulnerability exists in the…

  • CVE-2026-55450criJun 17, 2026
    risk 0.52cvss epss 0.00

    ### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the…

  • CVE-2026-48519criJun 16, 2026
    risk 0.52cvss epss 0.01

    ### Summary The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Shareable Playground…

  • CVE-2026-3357HigApr 8, 2026
    risk 0.50cvss 8.8epss 0.00

    IBM Langflow Desktop 1.6.0 through 1.8.2 Langflow could allow an authenticated user to execute arbitrary code on the system, caused by an insecure default setting which permits the deserialization of untrusted data in the FAISS component.

  • CVE-2026-34046HigMar 27, 2026
    risk 0.50cvss 8.8epss 0.00

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was…

  • CVE-2026-4503HigApr 30, 2026
    risk 0.49cvss 7.5epss 0.00

    IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.

  • CVE-2026-7787HigJun 11, 2026
    risk 0.42cvss 7.5epss 0.00

    IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.

  • CVE-2026-3345MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

  • CVE-2026-4502MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.

  • CVE-2026-3346MedApr 30, 2026
    risk 0.42cvss 6.4epss 0.00

    IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure…

  • CVE-2026-3340MedApr 30, 2026
    risk 0.42cvss 6.5epss 0.00

    IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

  • CVE-2026-5025MedMar 27, 2026
    risk 0.42cvss 6.5epss 0.00

    The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').

  • CVE-2026-7700MedMay 3, 2026
    risk 0.41cvss 6.3epss 0.00

    A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be…

  • CVE-2026-7687MedMay 3, 2026
    risk 0.41cvss 6.3epss 0.02

    A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can…

  • CVE-2026-7528HigMay 27, 2026
    risk 0.39cvss 7.1epss 0.00

    IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption.

  • CVE-2026-55446higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details…

  • CVE-2026-33760higJun 16, 2026
    risk 0.38cvss epss 0.00

    ### Summary Langflow's `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted…

  • CVE-2026-3341MedJun 11, 2026
    risk 0.35cvss 5.4epss 0.00

    IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

  • CVE-2026-6542MedApr 30, 2026
    risk 0.35cvss 6.5epss 0.00

    IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.

  • CVE-2026-5026MedMar 27, 2026
    risk 0.35cvss 5.4epss 0.00

    The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content. Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when…

  • CVE-2026-5022MedMar 27, 2026
    risk 0.34cvss 5.3epss 0.00

    The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.

  • CVE-2026-6600LowApr 20, 2026
    risk 0.16cvss 3.5epss 0.00

    A flaw has been found in langflow-ai langflow up to 1.8.3. This affects an unknown function of the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx of the component Frontend React Component Rendering. Executing a manipulation can…

  • CVE-2025-3248KEVApr 7, 2025
    risk 0.16cvss epss 1.00

    Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

  • CVE-2026-0770Jan 23, 2026
    risk 0.04cvss epss 0.10

    Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this…

  • CVE-2024-48061Nov 4, 2024
    risk 0.01cvss epss 0.01

    langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.

  • CVE-2024-42835Oct 31, 2024
    risk 0.01cvss epss 0.01

    langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

  • CVE-2026-12822Jun 21, 2026
    risk 0.00cvss epss 0.00

    A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but…

  • CVE-2026-55423Jun 19, 2026
    risk 0.00cvss epss 0.00

    ### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf`…

  • CVE-2026-48520Jun 16, 2026
    risk 0.00cvss epss 0.00

    ### Summary The "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list…

  • CVE-2026-42867Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated…

  • CVE-2026-5027Mar 27, 2026
    risk 0.00cvss epss 0.02

    The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

  • CVE-2026-33497Mar 24, 2026
    risk 0.00cvss epss 0.08

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which…

  • CVE-2026-33484Mar 24, 2026
    risk 0.00cvss epss 0.06

    Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known…

  • CVE-2026-33475Mar 24, 2026
    risk 0.00cvss epss 0.03

    Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context…

  • CVE-2026-33309Mar 24, 2026
    risk 0.00cvss epss 0.01

    Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved.…

  • CVE-2026-33053Mar 20, 2026
    risk 0.00cvss epss 0.00

    Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency).…

  • CVE-2026-27966Feb 26, 2026
    risk 0.00cvss epss 0.34

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker…

  • CVE-2026-0772Jan 23, 2026
    risk 0.00cvss epss 0.01

    Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw…

  • CVE-2026-0771Jan 23, 2026
    risk 0.00cvss epss 0.01

    Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The…

  • CVE-2026-0769Jan 23, 2026
    risk 0.00cvss epss 0.34

    Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw…

  • CVE-2026-0768Jan 23, 2026
    risk 0.00cvss epss 0.02

    Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the…

  • CVE-2026-21445Jan 2, 2026
    risk 0.00cvss epss 0.21

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data,…

  • CVE-2025-68478Dec 19, 2025
    risk 0.00cvss epss 0.04

    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path…

Page 1 of 2