Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%
Buy Us a Coffee

Langflow — Vulnerabilities & Security Advisories 43

All 43 CVE vulnerabilities found in Langflow, with AI-generated Chinese analysis, references, and POCs.

This page aggregates vulnerability data for the Langflow product, focusing on common weakness enumerations and security advisories. It collects information regarding known security flaws, configuration errors, and potential exploit vectors associated with this open-source framework that enables users to build and deploy generative AI applications. The coverage includes reported issues spanning from the initial release period up to the most recent updates, ensuring a comprehensive view of the product's security landscape over time. By centralizing these records, the page allows security professionals, developers, and auditors to efficiently track Langflow-specific vendor advisories and patch releases. Users can explore how specific weakness classes, such as injection flaws or improper access controls, have manifested within this particular technology stack. Furthermore, the aggregated data provides historical context for individual product versions, helping teams understand the evolution of security risks and the remediation efforts applied over the product's lifecycle. This resource serves as a reference point for assessing the current risk posture of Langflow deployments and identifying patterns in reported defects. It supports informed decision-making regarding system upgrades, mitigations, and compliance requirements by presenting a clear, structured overview of all known vulnerabilities. The information is organized to facilitate quick lookup of specific issues while also offering a broader perspective on the overall security health of the software. Readers can utilize this data to benchmark their own implementations against reported findings and stay updated on the latest security developments relevant to their Langflow infrastructure.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-48520 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read CWE-73 6.1 Medium2026-06-23
CVE-2026-33760 Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints CWE-639 8.8 High2026-06-23
CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint CWE-22 6.5 Medium2026-06-23
CVE-2026-55255 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow CWE-639 9.9 Critical2026-06-23
CVE-2026-55423 Langflow: Logout button does not clear session CWE-613 6.1 Medium2026-06-23
CVE-2026-55446 Langflow: Unauthenticated DoS through multipart form boundary file upload CWE-400 7.5 High2026-06-23
CVE-2026-48519 Langflow: Unauthenticated RCE in Shareable Playgrounds CWE-94 9.6 Critical2026-06-23
CVE-2026-55447 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit CWE-61 9.6 Critical2026-06-23
CVE-2026-55450 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak CWE-200 9.3 Critical2026-06-23
CVE-2026-12822 langflow-ai langflow Bundle URL Loader code injection CWE-94 5.3 Medium2026-06-21
CVE-2026-42048 Langflow: Path Traversal in Langflow Knowledge Bases API CWE-22 9.6 Critical2026-05-12
CVE-2026-7700 langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection CWE-94 6.3 Medium2026-05-03
CVE-2026-7687 langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection CWE-77 6.3 Medium2026-05-03
CVE-2026-6600 langflow-ai langflow Frontend React Component Rendering edit-message.tsx cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-6599 langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection CWE-74 6.3 Medium2026-04-20
CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file CWE-313 4.3 Medium2026-04-20
CVE-2026-6597 langflow-ai langflow Flow Using API core.py has_api_terms credentials storage CWE-256 2.7 Low2026-04-20
CVE-2026-6596 langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload CWE-434 7.3 High2026-04-20
CVE-2026-34046 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check CWE-639 8.2 -2026-03-27
CVE-2026-33873 Langflow has Authenticated Code Execution in Agentic Assistant Validation CWE-94 8.8 -2026-03-27
CVE-2026-5027 Langflow - Path Traversal Arbitrary File Write via upload_user_file CWE-22 8.8 High2026-03-27
CVE-2026-5026 Langflow - Stored XSS via Malicious SVG Upload CWE-79 5.4 -2026-03-27
CVE-2026-5025 Langflow - Application Logs Exposed to All Authenticated Users CWE-862 6.5 Medium2026-03-27
CVE-2026-5022 Langflow - Missing Authorization on download_image Endpoint CWE-862 5.3 -2026-03-27
CVE-2026-33497 Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading CWE-22 6.5 -2026-03-24
CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads CWE-284 7.5 High2026-03-24
CVE-2026-33475 Langflow GitHub Actions Shell Injection CWE-74 9.1 Critical2026-03-24
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API CWE-22 10.0 Critical2026-03-24
CVE-2026-33053 Langflow has Missing Ownership Verification in API Key Deletion (IDOR) CWE-639 8.2 -2026-03-20
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint CWE-94 9.8 -2026-03-20

All 43 known CVE vulnerabilities affecting Langflow with full Chinese analysis, references, and POCs where available.