CVE-2026-33484
published 2026-03-24CVE-2026-33484: Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
5.84%
92.2th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | — | — |
| langflow | langflow | >= 1.0.0 < 1.9.0 | 1.9.0 |
| langflow | langflow | 1.0.0 – 1.8.1 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
langflow has Unauthenticated IDOR on Image Downloads
osv·2026-03-20
CVE-2026-33484 [HIGH] langflow has Unauthenticated IDOR on Image Downloads
langflow has Unauthenticated IDOR on Image Downloads
### Summary
The `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.
### Details
`src/backend/base/langflow/api/v1/files.py:138-164` — `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use `Depends(get_flow)` which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.
### PoC
```
curl -v "http://localhost:7860/api/v1/files/images//"
# Returns HTTP 200 with imag
GHSA
langflow has Unauthenticated IDOR on Image Downloads
ghsa·2026-03-20
CVE-2026-33484 [HIGH] CWE-284 langflow has Unauthenticated IDOR on Image Downloads
langflow has Unauthenticated IDOR on Image Downloads
### Summary
The `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.
### Details
`src/backend/base/langflow/api/v1/files.py:138-164` — `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use `Depends(get_flow)` which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.
### PoC
```
curl -v "http://localhost:7860/api/v1/files/images//"
# Returns HTTP 200 with imag
No detection rules found.
No public exploits indexed.
2026-03-24
Published