CVE-2026-55423
published 2026-06-23CVE-2026-55423: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user…
PriorityP427medium6.1CVSS 3.1
AVPACLPRNUINSUCHIHAN
EPSS
0.15%
4.7th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | < 1.7.0 | 1.7.0 |
| langflow | langflow | < 1.7.0 | 1.7.0 |
| langflow | langflow | >= 0 < 1.7.1 | 1.7.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
langflow-ai langflow up to 1.6.x session expiration (GHSA-7hw8-6q6r-4276)
vuldb·2026-06-24·CVSS 6.1
CVE-2026-55423 [MEDIUM] langflow-ai langflow up to 1.6.x session expiration (GHSA-7hw8-6q6r-4276)
A vulnerability has been found in langflow-ai langflow up to 1.6.x and classified as problematic. Impacted is an unknown function. The manipulation leads to session expiration.
This vulnerability is listed as CVE-2026-55423. It is possible to launch the attack on the physical device. There is no available exploit.
The affected component should be upgraded.
GHSA
Langflow: Logout button does not clear session
ghsa·2026-06-19
CVE-2026-55423 [MEDIUM] CWE-613 Langflow: Logout button does not clear session
Langflow: Logout button does not clear session
### Summary
The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.
### Details
Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf` remains present in Cookies.
**Root cause:** the `/logout` endpoint deleted the authentication cookies without matching the original `httponly`/`samesite`/`secure`/`domain` parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.
```
LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER:
LANGFLOW_SUPERUSER_PASSWORD:
LANGFLOW_SECRET_KEY:
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"
```
### PoC
Cl
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-23
Published