Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Vulnerability
IDOR in GET/PATCH/DELETE /api/v1/flow/{flow_id}
The _read_flow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTO_LOGIN setting to decide whether to filter by user_id. When AUTO_LOGIN was False (i.e., authentication was enabled), neither branch enforced an ownership check - the query returned any flow matching the given UUID regardless of who owned it.
This exposed any authenticated user to:
- Read any other user's flow, including embedded plaintext API keys
- Modify the logic of another user's AI agents
- Delete flows belonging to other users
The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with user_id = NULL) under auto-login mode, but inadvertently left the authenticated path without an ownership filter.
---
Fix (PR #8956)
The fix removes the AUTO_LOGIN conditional entirely and unconditionally scopes the query to the requesting user:
- auth_settings = settings_service.auth_settings
- stmt = select(Flow).where(Flow.id == flow_id)
- if auth_settings.AUTO_LOGIN:
- stmt = stmt.where(
- (Flow.user_id == user_id) | (Flow.user_id == None)
# noqa: E711
- )
+ stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id)All three operations - read, update, and delete - route through _read_flow, so the single change covers the full attack surface. A cross-user isolation test (test_read_flows_user_isolation) was added to prevent regression.
---
Acknowledgements
Langflow thanks the security researcher who responsibly disclosed this vulnerability:
AnalysisAI
Insecure Direct Object Reference (IDOR) in Langflow API allows authenticated users to read, modify, or delete any flow belonging to other users via unvalidated flow_id parameters in GET/PATCH/DELETE /api/v1/flow/{flow_id} endpoints. The vulnerability affects both the langflow and langflow-base Python packages, enabling attackers with valid credentials to exfiltrate sensitive data (including plaintext API keys embedded in flows), tamper with AI agent logic, or destroy other users' workflows. A vendor-released patch (PR #8956) is available. No public exploit code identified at time of analysis, though the vulnerability is straightforward to exploit given the clear description and patch differential in the advisory.
Technical ContextAI
The vulnerability stems from flawed conditional logic in the _read_flow helper function (src/backend/base/langflow/api/v1/flows.py) that handled database queries for flow retrieval. When AUTO_LOGIN was disabled (authentication enabled), the SQLAlchemy query constructed a SELECT statement filtering only by flow_id (Flow.id flow_id) without validating that the requesting user owned the resource. The code attempted to handle public/example flows (user_id = NULL) in auto-login mode by adding an OR condition, but the authenticated branch omitted user_id validation entirely. This represents a classic CWE-639 (Authorization Bypass Through User-Controlled Key) where the application trusted client-supplied UUIDs without server-side ownership verification. Because all three HTTP methods (GET, PATCH, DELETE) routed through this single helper function, the authorization failure created a complete CRUD vulnerability surface across user-isolated resources. The fix enforces mandatory user_id scoping by unconditionally adding .where(Flow.user_id user_id) to the query, eliminating the AUTO_LOGIN branching logic.
RemediationAI
Apply the vendor-released patch immediately by upgrading to the Langflow version containing PR #8956, available at https://github.com/langflow-ai/langflow/pull/8956. Organizations should verify the installed version includes the fix by confirming the _read_flow function in src/backend/base/langflow/api/v1/flows.py unconditionally filters queries with .where(Flow.user_id == user_id) without AUTO_LOGIN branching logic. After patching, conduct an incident response review to identify potential unauthorized access by auditing application logs for cross-user flow access patterns (different user_id values accessing the same flow_id). Rotate any API keys or credentials embedded in flows, as these may have been exfiltrated during the vulnerability window. No effective workaround exists short of disabling multi-user access or implementing a reverse proxy with custom authorization logic, both of which are operationally impractical. Consult the official advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf for version-specific upgrade guidance and the cross-user isolation regression test (test_read_flows_user_isolation) to validate proper fix deployment.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16850
GHSA-8c4j-f57c-35cf