cbcvebase.

Langflow-Ai Langflow vulnerabilities

34 known vulnerabilities affecting langflow-ai/langflow.

Total CVEs
34
CISA KEV
1
actively exploited
Public exploits
4
Exploited in wild
4
Severity breakdown
CRITICAL10HIGH11MEDIUM11LOW2

Vulnerabilities

Page 1 of 2
CVE-2025-3248P1CRITICALCVSS 9.8KEVPoCfixed in 1.9.02025-04-07
CVE-2025-3248 [CRITICAL] CWE-306 CVE-2025-3248: Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code end Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
nvd
CVE-2026-21445P1CRITICALCVSS 9.1ExploitedPoCfixed in 1.7.0.dev452026-01-02
CVE-2026-21445 [CRITICAL] CWE-306 CVE-2026-21445: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including messa
nvd
CVE-2026-5027P1HIGHCVSS 8.8ExploitedPoCv02026-03-27
CVE-2026-5027 [HIGH] CWE-22 CVE-2026-5027: The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
nvd
CVE-2026-55255P1CRITICALCVSS 9.9Exploitedfixed in 1.9.22026-06-23
CVE-2026-55255 [CRITICAL] CWE-639 CVE-2026-55255: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an In Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.
nvd
CVE-2026-27966P1CRITICALCVSS 9.8PoCfixed in 1.8.02026-02-26
CVE-2026-27966 [CRITICAL] CWE-94 CVE-2026-27966: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt inje
nvd
CVE-2026-42048P2CRITICALCVSS 9.6fixed in 1.9.02026-05-12
CVE-2026-42048 [CRITICAL] CWE-22 CVE-2026-42048: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langf Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An a
nvd
CVE-2026-33873P2CRITICALCVSS 9.9fixed in 1.9.02026-03-27
CVE-2026-33873 [CRITICAL] CWE-94 CVE-2026-33873: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiate
nvd
CVE-2026-33475P2CRITICALCVSS 9.1fixed in 1.9.02026-03-24
CVE-2026-33475 [CRITICAL] CWE-74 CVE-2026-33475: Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated re Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers
nvd
CVE-2026-33484P2HIGHCVSS 7.5v>= 1.0.0, < 1.9.02026-03-24
CVE-2026-33484 [HIGH] CWE-284 CVE-2026-33484: Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 thr Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant dep
nvd
CVE-2025-57760P2HIGHCVSS 8.8≤ 1.5.02025-08-25
CVE-2025-57760 [HIGH] CWE-269 CVE-2025-57760: Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalatio Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially regis
nvd
CVE-2026-48519P3CRITICALCVSS 9.6fixed in 1.9.22026-06-23
CVE-2026-48519 [CRITICAL] CWE-94 CVE-2026-48519: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the " Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/
nvd
CVE-2026-33053P3HIGHCVSS 8.8fixed in 1.9.02026-03-20
CVE-2026-33053 [HIGH] CWE-639 CVE-2026-33053: Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key bel
nvd
CVE-2026-34046P3HIGHCVSS 8.8fixed in 1.5.12026-03-27
CVE-2026-34046 [HIGH] CWE-639 CVE-2026-34046: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownersh
nvd
CVE-2026-33497P3HIGHCVSS 7.5fixed in 1.7.12026-03-24
CVE-2026-33497 [HIGH] CWE-22 CVE-2026-33497: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains
nvd
CVE-2026-55450P3CRITICALCVSS 9.3fixed in 1.9.12026-06-23
CVE-2026-55450 [CRITICAL] CWE-200 CVE-2026-55450: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unaut Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path
nvd
CVE-2026-33760P3HIGHCVSS 8.8fixed in 1.9.02026-06-23
CVE-2026-33760 [HIGH] CWE-639 CVE-2026-33760: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langf Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the target
nvd
CVE-2026-55447P3CRITICALCVSS 9.6fixed in 1.9.22026-06-23
CVE-2026-55447 [CRITICAL] CWE-61 CVE-2026-55447: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by co Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlin
nvd
CVE-2026-6596P3HIGHCVSS 7.3v1.0v1.1.02026-04-20
CVE-2026-6596 [HIGH] CWE-284 CVE-2026-6596: A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the func A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and
nvd
CVE-2025-68477P3MEDIUMCVSS 6.5fixed in 1.7.02025-12-19
CVE-2025-68477 [MEDIUM] CWE-918 CVE-2025-68477: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx cli
nvd
CVE-2025-68478P3HIGHCVSS 7.1v>= 1.2.0, < 1.9.02025-12-19
CVE-2025-68478 [HIGH] CWE-73 CVE-2025-68478: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7. Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute p
nvd
Langflow-Ai Langflow vulnerabilities | cvebase