cbcvebase.
CVE-2026-21445
published 2026-01-02

CVE-2026-21445: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are…

PriorityP189critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.66%
97.2th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Affected

3 ranges
VendorProductVersion rangeFixed in
langflow-ailangflow< 1.7.0.dev451.7.0.dev45
langflowlangflow< 1.7.11.7.1
langflowlangflow>= 0 < 1.7.11.7.1

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/monitor/messages
  • Unauthenticated GET request to /api/v1/monitor/messages returning HTTP 200 with JSON body containing '"text":' and '"timestamp":' fields indicates successful exploitation of broken access control.
  • Multiple critical API endpoints in Langflow are missing authentication controls, allowing unauthenticated access to sensitive conversation data, transaction histories, and destructive operations such as message deletion.
  • CVE-2026-21445 is part of a broader exploitation campaign targeting multiple Langflow vulnerabilities; monitor for unauthenticated access patterns across Langflow API endpoints.
  • ·The vulnerability affects Langflow versions prior to 1.7.0.dev45; instances running older versions with default configuration expose sensitive API endpoints without authentication.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.