Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.
Published: 2026-03-27
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An authentication bypass in Langflow allows any logged‑in user to read, modify, or delete any other user's flow because the code that should restrict access by user ID was omitted when the application was not set to auto‑login. The attacker can obtain confidential information such as embedded plaintext API keys, alter AI agent logic, or delete valuable workflows. This represents a direct violation of integrity and confidentiality controls.

Affected Systems

The vulnerability affects all releases of Langflow prior to version 1.5.1, including the langflow and langflow-base packages distributed by langflow‑ai. Users running those versions are at risk until they apply the fix.

Risk and Exploitability

With a CVSS score of 8.7, the flaw is classified as high severity. No EPSS score is available, and the issue is not listed in the KEV catalog, suggesting it has not yet been widely exploited. Attackers must be authenticated, implying that any user credential can be abused. Once inside the system, the attacker has unrestricted access to other users' flows without additional privileges, making the exploit straightforward for anyone who can log into the application.

Generated by OpenCVE AI on March 27, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.5.1 or later, which removes the faulty auto‑login conditional and enforces ownership checks.

Generated by OpenCVE AI on March 27, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8c4j-f57c-35cf Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
History

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Langflow langflow-base
Vendors & Products Langflow
Langflow langflow
Langflow langflow-base

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.
Title Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
Weaknesses CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Langflow Langflow Langflow-base
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T03:55:31.834Z

Reserved: 2026-03-25T15:29:04.745Z

Link: CVE-2026-34046

cve-icon Vulnrichment

Updated: 2026-03-31T13:57:14.353Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-27T21:17:27.753

Modified: 2026-03-30T13:26:07.647

Link: CVE-2026-34046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T07:59:25Z

Weaknesses