Skip to main content

CVE-2026-34046

| EUVDEUVD-2026-16850 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-27 https://github.com/langflow-ai/langflow GHSA-8c4j-f57c-35cf
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 19:38 euvd
EUVD-2026-16850
Analysis Generated
Mar 27, 2026 - 19:38 vuln.today
Patch released
Mar 27, 2026 - 19:38 nvd
Patch available
CVE Published
Mar 27, 2026 - 19:36 nvd
HIGH 8.7

DescriptionGitHub Advisory

Vulnerability

IDOR in GET/PATCH/DELETE /api/v1/flow/{flow_id}

The _read_flow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTO_LOGIN setting to decide whether to filter by user_id. When AUTO_LOGIN was False (i.e., authentication was enabled), neither branch enforced an ownership check - the query returned any flow matching the given UUID regardless of who owned it.

This exposed any authenticated user to:

  • Read any other user's flow, including embedded plaintext API keys
  • Modify the logic of another user's AI agents
  • Delete flows belonging to other users

The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with user_id = NULL) under auto-login mode, but inadvertently left the authenticated path without an ownership filter.

---

Fix (PR #8956)

The fix removes the AUTO_LOGIN conditional entirely and unconditionally scopes the query to the requesting user:

diff
-    auth_settings = settings_service.auth_settings
-    stmt = select(Flow).where(Flow.id == flow_id)
-    if auth_settings.AUTO_LOGIN:
-        stmt = stmt.where(
-            (Flow.user_id == user_id) | (Flow.user_id == None)
# noqa: E711
-        )
+    stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id)

All three operations - read, update, and delete - route through _read_flow, so the single change covers the full attack surface. A cross-user isolation test (test_read_flows_user_isolation) was added to prevent regression.

---

Acknowledgements

Langflow thanks the security researcher who responsibly disclosed this vulnerability:

AnalysisAI

Insecure Direct Object Reference (IDOR) in Langflow API allows authenticated users to read, modify, or delete any flow belonging to other users via unvalidated flow_id parameters in GET/PATCH/DELETE /api/v1/flow/{flow_id} endpoints. The vulnerability affects both the langflow and langflow-base Python packages, enabling attackers with valid credentials to exfiltrate sensitive data (including plaintext API keys embedded in flows), tamper with AI agent logic, or destroy other users' workflows. A vendor-released patch (PR #8956) is available. No public exploit code identified at time of analysis, though the vulnerability is straightforward to exploit given the clear description and patch differential in the advisory.

Technical ContextAI

The vulnerability stems from flawed conditional logic in the _read_flow helper function (src/backend/base/langflow/api/v1/flows.py) that handled database queries for flow retrieval. When AUTO_LOGIN was disabled (authentication enabled), the SQLAlchemy query constructed a SELECT statement filtering only by flow_id (Flow.id flow_id) without validating that the requesting user owned the resource. The code attempted to handle public/example flows (user_id = NULL) in auto-login mode by adding an OR condition, but the authenticated branch omitted user_id validation entirely. This represents a classic CWE-639 (Authorization Bypass Through User-Controlled Key) where the application trusted client-supplied UUIDs without server-side ownership verification. Because all three HTTP methods (GET, PATCH, DELETE) routed through this single helper function, the authorization failure created a complete CRUD vulnerability surface across user-isolated resources. The fix enforces mandatory user_id scoping by unconditionally adding .where(Flow.user_id user_id) to the query, eliminating the AUTO_LOGIN branching logic.

RemediationAI

Apply the vendor-released patch immediately by upgrading to the Langflow version containing PR #8956, available at https://github.com/langflow-ai/langflow/pull/8956. Organizations should verify the installed version includes the fix by confirming the _read_flow function in src/backend/base/langflow/api/v1/flows.py unconditionally filters queries with .where(Flow.user_id == user_id) without AUTO_LOGIN branching logic. After patching, conduct an incident response review to identify potential unauthorized access by auditing application logs for cross-user flow access patterns (different user_id values accessing the same flow_id). Rotate any API keys or credentials embedded in flows, as these may have been exfiltrated during the vulnerability window. No effective workaround exists short of disabling multi-user access or implementing a reverse proxy with custom authorization logic, both of which are operationally impractical. Consult the official advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf for version-specific upgrade guidance and the cross-user isolation regression test (test_read_flows_user_isolation) to validate proper fix deployment.

Share

CVE-2026-34046 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy