langflow-ai
Products: langflow
81.1
Score
20
CVEs
2
Active
18
PoC
2
KEV
#35
Rank
Period:
Product:
| CVE ID | Published | CVSS | Exploit | KEV | AC | PR | Auto | Score(hover) | Affected Products | Description |
|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2026-33760 | 2026-06-23 | 8.8v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verif |
| CVE-2026-42867 | 2026-06-23 | 6.5v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without pro |
| CVE-2026-55255 | 2026-06-23 | 9.9v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in t |
| CVE-2026-55446 | 2026-06-23 | 7.5v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinit |
| CVE-2026-55450 | 2026-06-23 | 9.3v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. |
| CVE-2026-42048 | 2026-05-12 | 9.6v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths withou |
| CVE-2026-6596 | 2026-04-20 | 6.9v4.0 | POC | — | Low | None | no | 0.0 | langflow | A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack re |
| CVE-2026-6597 | 2026-04-20 | 5.1v4.0 | POC | — | Low | High | no | 0.0 | langflow | A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated |
| CVE-2026-6598 | 2026-04-20 | 5.3v4.0 | POC | — | Low | Low | no | 0.0 | langflow | A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settin |
| CVE-2026-6599 | 2026-04-20 | 5.3v4.0 | POC | — | Low | Low | no | 0.0 | langflow | A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X- |
| CVE-2026-33309 | 2026-03-24 | 10.0v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying |
| CVE-2026-33475 | 2026-03-24 | 9.1v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ gith |
| CVE-2026-33484 | 2026-03-24 | 7.5v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name r |
| CVE-2026-33497 | 2026-03-24 | 8.7v4.0 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key |
| CVE-2026-33017 | 2026-03-20 | 9.3v4.0 | ACTIVE | Low | None | YES | 40.6 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker | |
| CVE-2026-27966 | 2026-02-26 | 9.8v3.1 | POC | — | Low | None | YES | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Py |
| CVE-2025-68477 | 2025-12-19 | 7.7v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and t |
| CVE-2025-68478 | 2025-12-19 | 7.1v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normaliz |
| CVE-2025-57760 | 2025-08-25 | 8.8v3.1 | POC | — | Low | Low | no | 0.0 | langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in fu |
| CVE-2025-3248 | 2025-04-07 | 9.8v3.1 | ACTIVE | Low | None | YES | 40.6 | langflow | Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code. |
Each CVE: 10 pts base (Active only), boosted by:
KEV×2.0AC: Low×1.2PR: None×1.3PR: Low×1.1Auto×1.3