Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

langflow — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in langflow, with AI-generated Chinese analysis, references, and POCs.

This page aggregates known security vulnerabilities for the open-source AI workflow engine Langflow. It focuses on weaknesses that allow unauthorized access, data exposure, or service disruption within the application’s orchestration layer. The content covers advisory notices and reported flaws from the software’s public release history up to the present day. Visitors can use this resource to track Langflow’s vendor response timelines, understand the patterns behind specific weakness classes such as insecure deserialization or injection flaws, and review the complete history of defects associated with various releases. The collection aims to provide developers and security teams with a centralized view of the product’s security posture without relying on fragmented sources. By organizing these records, the page facilitates easier comparison between different versions and highlights critical updates that require immediate attention. Users seeking to assess the risk profile of integrating Langflow into their infrastructure can find detailed descriptions of how each vulnerability was exploited and the corresponding mitigation strategies. This structured approach helps in prioritizing patch management and understanding the broader context of security incidents affecting the platform. The information presented is strictly factual, focusing on technical details and remediation steps to support informed decision-making for system administrators and developers working with the framework.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-42048 Langflow: Path Traversal in Langflow Knowledge Bases API CWE-22 9.6 Critical2026-05-12
CVE-2026-7700 langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection CWE-94 6.3 Medium2026-05-03
CVE-2026-7687 langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection CWE-77 6.3 Medium2026-05-03
CVE-2026-6600 langflow-ai langflow Frontend React Component Rendering edit-message.tsx cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-6599 langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection CWE-74 6.3 Medium2026-04-20
CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file CWE-313 4.3 Medium2026-04-20
CVE-2026-6597 langflow-ai langflow Flow Using API core.py has_api_terms credentials storage CWE-256 2.7 Low2026-04-20
CVE-2026-6596 langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload CWE-434 7.3 High2026-04-20
CVE-2026-34046 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check CWE-639 8.2 -2026-03-27
CVE-2026-33873 Langflow has Authenticated Code Execution in Agentic Assistant Validation CWE-94 8.8 -2026-03-27
CVE-2026-5027 Langflow - Path Traversal Arbitrary File Write via upload_user_file CWE-22 8.8 High2026-03-27
CVE-2026-5026 Langflow - Stored XSS via Malicious SVG Upload CWE-79 5.4 -2026-03-27
CVE-2026-5025 Langflow - Application Logs Exposed to All Authenticated Users CWE-862 6.5 Medium2026-03-27
CVE-2026-5022 Langflow - Missing Authorization on download_image Endpoint CWE-862 5.3 -2026-03-27
CVE-2026-33497 Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading CWE-22 6.5 -2026-03-24
CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads CWE-284 7.5 High2026-03-24
CVE-2026-33475 Langflow GitHub Actions Shell Injection CWE-74 9.1 Critical2026-03-24
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API CWE-22 10.0 Critical2026-03-24
CVE-2026-33053 Langflow has Missing Ownership Verification in API Key Deletion (IDOR) CWE-639 8.2 -2026-03-20
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint CWE-94 9.8 -2026-03-20
CVE-2026-27966 Langflow has Remote Code Execution in CSV Agent CWE-94 9.8 Critical2026-02-26
CVE-2026-0772 Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability CWE-502 8.8 -2026-01-23
CVE-2026-0771 Langflow PythonFunction Code Injection Remote Code Execution Vulnerability CWE-94 9.8 -2026-01-23
CVE-2026-0770 Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability CWE-829 9.8 -2026-01-23
CVE-2026-0769 Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability CWE-95 9.8 -2026-01-23
CVE-2026-0768 Langflow code Code Injection Remote Code Execution Vulnerability CWE-94 9.8 -2026-01-23
CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints CWE-306 9.4 -2026-01-02
CVE-2025-68478 Langflow Vulnerable to External Control of File Name or Path CWE-73 7.1 High2025-12-19
CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery CWE-918 7.7 High2025-12-19
CVE-2025-34291 Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE CWE-346 8.8 -2025-12-05

All 33 known CVE vulnerabilities affecting langflow with full Chinese analysis, references, and POCs where available.