Description
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
Published: 2026-03-27
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is located in the \/api\/v1\/files\/images\/{flow_id}\/{file_name} endpoint of Langflow. Authentication and authorization checks are missing; any unauthenticated user can request a file by supplying the flow ID and file name. This permits the disclosure of images that may contain sensitive or confidential visual information, thereby infringing on confidentiality. The weakness corresponds to unauthorized access to protected resources.

Affected Systems

All installations of Langflow may be affected because version information is not specified. Any instance that includes the described endpoint without proper authentication is susceptible until the issue is addressed.

Risk and Exploitability

The CVSS score of 6.3 indicates moderate severity; however, exploitation requires no authentication and can be performed remotely over the network, making it fairly easy to exploit. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Operators should consider this a moderate risk that warrants timely mitigation.

Generated by OpenCVE AI on March 27, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Langflow update that implements authentication for the /api/v1/files/images endpoint.

Generated by OpenCVE AI on March 27, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
Title Langflow - Missing Authorization on download_image Endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-03-27T15:10:20.925Z

Reserved: 2026-03-27T14:24:15.496Z

Link: CVE-2026-5022

cve-icon Vulnrichment

Updated: 2026-03-27T15:09:20.124Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:17:04.293

Modified: 2026-03-27T15:17:04.293

Link: CVE-2026-5022

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:27Z

Weaknesses