Impact
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions before 1.10.0, its Shareable Playground feature allows a flow to be made public so that any execution request can specify files to be read and fed into the LLM. The file paths can point to any supported storage location, including local files or S3 objects, and are not strictly validated. This arbitrary file-read flaw enables an unauthenticated attacker who can trigger a public flow to extract arbitrary files, potentially exposing sensitive data. The weakness is classified as CWE-73, an arbitrary file read attack.
Affected Systems
All installations of the Langflow AI application with versions prior to 1.10.0 are affected. The vulnerability resides in the Shareable Playground (Public Flows) feature that permits users to configure flows to accept arbitrary file paths and to execute publicly without authentication, making the file read attack possible.
Risk and Exploitability
The CVSS score of 6.1 indicates moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw without authentication by configuring a flow with a publicly accessible endpoint that accepts arbitrary file paths, thereby reading sensitive data.
OpenCVE Enrichment
Github GHSA