Description
The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').
Published: 2026-03-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: Unrestricted Access to Application Logs
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates in the /logs and /logs-stream endpoints of Langflow’s log router. The endpoints perform basic authentication with the current user but do not enforce any privileged checks, meaning that any authenticated user can invoke them. As a result, a user can download the entire application log buffer, potentially exposing sensitive data such as stack traces, configuration strings, or authentication tokens. This exposure directly violates confidentiality and is identified as a Missing Authorization weakness (CWE‑862).

Affected Systems

The affected product is the Langflow‑AI Langflow application. No specific version information is provided in the advisory, so all installations that use the vulnerable log‑router endpoints are presumed to be impacted. Administrators should verify whether the log endpoints are enabled in their deployment and consider which user accounts have access.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. With no EPSS score provided and the issue absent from the CISA KEV catalog, the likelihood of widespread exploitation is uncertain; however, the attack condition only requires valid credentials. An attacker who obtains or compromises any user account can read all logs, making the vulnerability straightforward to exploit for anyone who can authenticate.

Generated by OpenCVE AI on March 27, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Langflow release that includes authorization checks for the /logs endpoints.
  • If an update is unavailable, restrict access to the log endpoints by removing them or adding role‑based restrictions in the router configuration.
  • Verify that only privileged or super‑user accounts can access logging routes.
  • Disable or hide the /logs and /logs-stream routes in production environments where log visibility is not required.
  • Monitor authentication logs for any unexpected usage of the log endpoints.

Generated by OpenCVE AI on March 27, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser').
Title Langflow - Application Logs Exposed to All Authenticated Users
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-03-27T15:38:54.925Z

Reserved: 2026-03-27T14:36:29.989Z

Link: CVE-2026-5025

cve-icon Vulnrichment

Updated: 2026-03-27T15:38:49.156Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:17:04.447

Modified: 2026-03-27T15:17:04.447

Link: CVE-2026-5025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:25Z

Weaknesses