Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

langflow — Vulnerabilities & Security Advisories 33

All 33 CVE vulnerabilities found in langflow, with AI-generated Chinese analysis, references, and POCs.

This page aggregates vulnerability data for the Langflow product, focusing on common weakness enumerations and security advisories. It collects information regarding known security flaws, configuration errors, and potential exploit vectors associated with this open-source framework that enables users to build and deploy generative AI applications. The coverage includes reported issues spanning from the initial release period up to the most recent updates, ensuring a comprehensive view of the product's security landscape over time. By centralizing these records, the page allows security professionals, developers, and auditors to efficiently track Langflow-specific vendor advisories and patch releases. Users can explore how specific weakness classes, such as injection flaws or improper access controls, have manifested within this particular technology stack. Furthermore, the aggregated data provides historical context for individual product versions, helping teams understand the evolution of security risks and the remediation efforts applied over the product's lifecycle. This resource serves as a reference point for assessing the current risk posture of Langflow deployments and identifying patterns in reported defects. It supports informed decision-making regarding system upgrades, mitigations, and compliance requirements by presenting a clear, structured overview of all known vulnerabilities. The information is organized to facilitate quick lookup of specific issues while also offering a broader perspective on the overall security health of the software. Readers can utilize this data to benchmark their own implementations against reported findings and stay updated on the latest security developments relevant to their Langflow infrastructure.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-42048 Langflow: Path Traversal in Langflow Knowledge Bases API CWE-22 9.6 Critical2026-05-12
CVE-2026-7700 langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection CWE-94 6.3 Medium2026-05-03
CVE-2026-7687 langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection CWE-77 6.3 Medium2026-05-03
CVE-2026-6600 langflow-ai langflow Frontend React Component Rendering edit-message.tsx cross site scripting CWE-79 3.5 Low2026-04-20
CVE-2026-6599 langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection CWE-74 6.3 Medium2026-04-20
CVE-2026-6598 langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file CWE-313 4.3 Medium2026-04-20
CVE-2026-6597 langflow-ai langflow Flow Using API core.py has_api_terms credentials storage CWE-256 2.7 Low2026-04-20
CVE-2026-6596 langflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted upload CWE-434 7.3 High2026-04-20
CVE-2026-34046 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check CWE-639 8.2 -2026-03-27
CVE-2026-33873 Langflow has Authenticated Code Execution in Agentic Assistant Validation CWE-94 8.8 -2026-03-27
CVE-2026-5027 Langflow - Path Traversal Arbitrary File Write via upload_user_file CWE-22 8.8 High2026-03-27
CVE-2026-5026 Langflow - Stored XSS via Malicious SVG Upload CWE-79 5.4 -2026-03-27
CVE-2026-5025 Langflow - Application Logs Exposed to All Authenticated Users CWE-862 6.5 Medium2026-03-27
CVE-2026-5022 Langflow - Missing Authorization on download_image Endpoint CWE-862 5.3 -2026-03-27
CVE-2026-33497 Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading CWE-22 6.5 -2026-03-24
CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads CWE-284 7.5 High2026-03-24
CVE-2026-33475 Langflow GitHub Actions Shell Injection CWE-74 9.1 Critical2026-03-24
CVE-2026-33309 Langflow has an Arbitrary File Write (RCE) via v2 API CWE-22 10.0 Critical2026-03-24
CVE-2026-33053 Langflow has Missing Ownership Verification in API Key Deletion (IDOR) CWE-639 8.2 -2026-03-20
CVE-2026-33017 Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint CWE-94 9.8 -2026-03-20
CVE-2026-27966 Langflow has Remote Code Execution in CSV Agent CWE-94 9.8 Critical2026-02-26
CVE-2026-0772 Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability CWE-502 8.8 -2026-01-23
CVE-2026-0771 Langflow PythonFunction Code Injection Remote Code Execution Vulnerability CWE-94 9.8 -2026-01-23
CVE-2026-0770 Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability CWE-829 9.8 -2026-01-23
CVE-2026-0769 Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability CWE-95 9.8 -2026-01-23
CVE-2026-0768 Langflow code Code Injection Remote Code Execution Vulnerability CWE-94 9.8 -2026-01-23
CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints CWE-306 9.4 -2026-01-02
CVE-2025-68478 Langflow Vulnerable to External Control of File Name or Path CWE-73 7.1 High2025-12-19
CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery CWE-918 7.7 High2025-12-19
CVE-2025-34291 Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE CWE-346 8.8 -2025-12-05

All 33 known CVE vulnerabilities affecting langflow with full Chinese analysis, references, and POCs where available.