CVE-2026-33484 - Vulnerability Details

- Langflow has Unauthenticated IDOR on Image Downloads

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.

Published: 2026-03-24

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in Langflow allows anyone to download image files from a tenant without providing authentication. The /api/v1/files/images/{flow_id}/{file_name} endpoint serves requested images without verifying the requestor’s identity or whether the image belongs to the attendee. This flaw enables attackers to collect visual data that may contain sensitive content, violating confidentiality and potentially enabling further reconnaissance.

Affected Systems

The flaw affects all Langflow releases from 1.0.0 up to 1.8.1, which are provided by langflow‑ai. The 1.9.0 release includes a patch that enforces authentication checks on the image download route.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity vulnerability. No EPSS data is reported, and the issue is not included in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires only an unauthenticated HTTP GET request once the attacker knows or can guess the flow_id and file_name, which are often exposed through other API outcomes. The low barrier to attack and the potential to expose all tenants’ uploaded images make this flaw a significant risk in a multi‑tenant deployment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

langflow-ai

langflow

affected

Version	Status	Constraints
`>= 1.0.0, < 1.9.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Langflow

92%

Version	Status	Scheme	Platform
`[1.0.0,1.9.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Langflow to version 1.9.0 or newer to apply the vendor patch that adds authentication to the image download endpoint.
If an upgrade cannot be performed immediately, restrict the /api/v1/files/images endpoint so that only authenticated users can access it, for example by requiring an API key or token or by disabling the endpoint for unauthenticated traffic.
Apply firewall rules or segment the network so that only trusted IP addresses can reach the application, limiting the exposure surface of the vulnerable endpoint.
Continuously monitor access logs for unauthorized image download attempts and investigate any suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-7grx-3xcx-2xv5	langflow has Unauthenticated IDOR on Image Downloads

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5

History

Tue, 24 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Langflow Langflow langflow
CPEs		cpe:2.3:a:langflow:langflow::::::::
Vendors & Products		Langflow Langflow langflow

Tue, 24 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
Title		Langflow has Unauthenticated IDOR on Image Downloads
Weaknesses		CWE-284 CWE-639 CWE-862
References		https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Langflow Langflow

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-24T12:57:33.641Z

Updated: 2026-03-24T13:37:14.286Z

Reserved: 2026-03-20T16:16:48.970Z

Link: CVE-2026-33484

Vulnrichment

Updated: 2026-03-24T13:37:03.579Z

NVD

Status : Analyzed

Published: 2026-03-24T14:16:30.607

Modified: 2026-03-24T19:20:13.567

Link: CVE-2026-33484

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T20:50:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object