CVE-2026-6598
published 2026-04-20CVE-2026-6598: A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of…
PriorityP427medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.15%
4.7th percentile
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | — | — |
| langflow-ai | langflow | — | — |
| langflow-ai | langflow | — | — |
| langflow-ai | langflow | — | — |
| langflow | langflow | >= 0 < 1.9.1 | 1.9.1 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
requests-hardened is Vulnerable to Server-Side Request Forgery
ghsa·2026-05-05
CVE-2026-42175 [MEDIUM] CWE-918 requests-hardened is Vulnerable to Server-Side Request Forgery
requests-hardened is Vulnerable to Server-Side Request Forgery
The SSRF protection in `requests-hardened` prior to version 1.2.1 fails to block IP addresses within the RFC 6598 Shared Address Space (`100.64.0.0/10`). An attacker who can supply arbitrary URLs to `requests-hardened` could exploit this gap to access internal services hosted within `100.64.0.0/10`. This is for example relevant in environments such as AWS EKS where `100.64.0.0/10` is commonly used as the default pod CIDR.
The impact is environment-dependent, deployments that utilize the affected CIDR range for internal networking are exposed to SSRF bypass, while others may not be affected.
The issue is resolved in version 1.2.1 by extending the IP filtering logic to explicitly block the RFC 6598 range in addition to standar
GHSA
Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint
ghsa·2026-04-20
CVE-2026-6598 [LOW] CWE-312 Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint
Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
GHSA
GHSA-9jpj-cph8-w449: A security vulnerability has been detected in langflow-ai langflow up to 1
ghsa_unreviewed·2026-04-20
CVE-2026-6598 [MEDIUM] CWE-312 GHSA-9jpj-cph8-w449: A security vulnerability has been detected in langflow-ai langflow up to 1
A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB
langflow-ai langflow up to 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings cleartext storage in file
vuldb·2026-04-19
CVE-2026-6598 [LOW] langflow-ai langflow up to 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings cleartext storage in file
A vulnerability classified as problematic was found in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk.
This vulnerability is uniquely identified as CVE-2026-6598. The attack can be launched remotely. Moreover, an exploit is present.
The vendor was contacted early about this disclosure but did not respond in any way.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published