Is there a public PoC exploit available for CVE-2026-6598?

Yes, a public proof-of-concept exploit is available for CVE-2026-6598. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for CVE-2026-6598?

Yes, a patch is available for CVE-2026-6598. Update the affected software to the latest version immediately.

Langflow CVE-2026-6598

Q: What is the CVSS score of CVE-2026-6598?

CVE-2026-6598 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23760 LOW

Cleartext Storage in a File or on Disk (CWE-313)

2026-04-20 VulDB

Information Disclosure Langflow

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Apr 29, 2026 - 01:12 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:12 NVD

5.3 (MEDIUM) 2.1 (LOW)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

CVSS changed

Apr 20, 2026 - 04:22 NVD

4.3 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 04:08 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 04:00 euvd

EUVD-2026-23760

Analysis Generated

Apr 20, 2026 - 04:00 vuln.today

CVE Published

Apr 20, 2026 - 02:45 nvd

LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Langflow up to version 1.8.3 stores authentication settings in cleartext on disk when processing project creation requests, allowing authenticated remote attackers to read sensitive credentials. The vulnerability exists in the create_project/encrypt_auth_settings function within the Project Creation Endpoint, where the auth_settings parameter bypasses encryption despite the function's intent. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate to Langflow platform

Delivery

Navigate to project creation endpoint

Exploit

Submit POST request with auth_settings parameter

Install

Trigger create_project/encrypt_auth_settings function

Credentials stored in plaintext on disk

Execute

Attacker reads plaintext auth_settings from project configuration file

Impact

Stolen credentials used against downstream services