Impact
Langflow is a tool for building and deploying AI‑powered agents and workflows. Prior to 1.9.0, its /api/v1/monitor router exposes seven endpoints that perform read, write, and delete operations on user‑owned resources—including messages, sessions, build artifacts, and LLM transaction logs—without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user’s data by supplying the target resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. The same source file (monitor.py) contains one correctly implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied. The vulnerability is fixed in 1.9.0.
Affected Systems
The vulnerability affects the langflow project by langflow‑ai. Any deployment running a version earlier than 1.9.0 is susceptible; the issue was resolved in 1.9.0 and later releases.
Risk and Exploitability
The CVSS score of 8.8 marks the flaw as high severity, and the EPSS score is not available, so the likelihood of exploitation cannot be quantitatively assessed. The vulnerability is listed as not being in the CISA KEV catalog. Exploitation requires only a valid authenticated session, making the attack vector for authenticated users. Given the narrow privilege requirement and the implicit trust in the monitor endpoints, the risk to affected systems is significant.
OpenCVE Enrichment
Github GHSA