Impact
Langflow is a tool for building and deploying AI‑powered agents and workflows. The logout button fails to clear the user's session prior to version 1.7.0, leaving the previous user logged in until another user logs in. This flaw, identified as CWE‑613, allows an attacker to retain an authenticated session after the original user has logged out, leading to unauthorized access.
Affected Systems
Langflow AI’s Langflow application is affected. Versions before 1.7.0 do not clear the session on logout, while the issue is fixed in 1.7.0 and later releases.
Risk and Exploitability
The CVSS score of 6.1 places the vulnerability in the medium severity range. No EPSS score is provided, and the flaw is not listed in CISA’s KEV catalog, indicating limited public exploitation evidence. Based on the description, it is inferred that the attack vector is a remote attacker accessing the application via a web interface. A remote attacker could exploit the session persistence flaw if the application is reachable, potentially hijacking an authenticated session. Mitigation requires updating to the patched release or ensuring the logout action fully invalidates session tokens.
OpenCVE Enrichment
Github GHSA