Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.
Published: 2026-06-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Langflow is a tool for building and deploying AI‑powered agents and workflows. The logout button fails to clear the user's session prior to version 1.7.0, leaving the previous user logged in until another user logs in. This flaw, identified as CWE‑613, allows an attacker to retain an authenticated session after the original user has logged out, leading to unauthorized access.

Affected Systems

Langflow AI’s Langflow application is affected. Versions before 1.7.0 do not clear the session on logout, while the issue is fixed in 1.7.0 and later releases.

Risk and Exploitability

The CVSS score of 6.1 places the vulnerability in the medium severity range. No EPSS score is provided, and the flaw is not listed in CISA’s KEV catalog, indicating limited public exploitation evidence. Based on the description, it is inferred that the attack vector is a remote attacker accessing the application via a web interface. A remote attacker could exploit the session persistence flaw if the application is reachable, potentially hijacking an authenticated session. Mitigation requires updating to the patched release or ensuring the logout action fully invalidates session tokens.

Generated by OpenCVE AI on June 24, 2026 at 11:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.7.0 or newer.
  • Manually delete remaining session data for logged‑out users by clearing session cookies or removing session entries in the database.
  • Implement server‑side session invalidation checks to ensure that logout fully terminates all session tokens and prevents reuse of session identifiers.

Generated by OpenCVE AI on June 24, 2026 at 11:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7hw8-6q6r-4276 Langflow: Logout button does not clear session
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.
Title Langflow: Logout button does not clear session
Weaknesses CWE-613
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:07:10.031Z

Reserved: 2026-06-16T21:48:43.126Z

Link: CVE-2026-55423

cve-icon Vulnrichment

Updated: 2026-06-23T17:06:25.312Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-613

    Insufficient Session Expiration