Description
A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Credential Exposure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability involves the Flow Using API component in langflow up to version 1.8.3, where the remove_api_keys/has_api_terms function stores credentials without protection. This flaw allows an attacker to store or retrieve API credentials in plain text, leading to credential disclosure. The vulnerability can be triggered remotely, and a public exploit exists, indicating that attackers can exploit it over the network.

Affected Systems

Affected vendors and products include langflow-ai's Langflow application. Versions up to 1.8.3 are impacted. No newer versions are listed in the data; administrators should verify whether a fix has been released beyond 1.8.3.

Risk and Exploitability

The CVSS score is 5.1, placing the vulnerability in the medium severity range. EPSS is not available, and the issue is not listed in CISA's KEV catalog. However, the public availability of an exploit and the ability to trigger the flaw remotely constitute a non-negligible risk. The weakness is categorized as CWE-255 and CWE-256, both involving inadequate credential storage and protection.

Generated by OpenCVE AI on April 20, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Langflow to the latest release that contains a fix for unprotected credentials storage or apply any official vendor patch.
  • Remove or delete any stored credentials from the server and set strict file permissions to prevent unauthorized access.
  • Audit the configuration and code to ensure credentials are not written in clear text and that proper encryption and secure storage mechanisms are enforced.
  • Monitor logs for abnormal access to credential storage locations and investigate any unauthorized modifications.

Generated by OpenCVE AI on April 20, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title langflow-ai langflow Flow Using API core.py has_api_terms credentials storage
First Time appeared Langflow
Langflow langflow
Weaknesses CWE-255
CWE-256
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
Vendors & Products Langflow
Langflow langflow
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-20T11:42:32.582Z

Reserved: 2026-04-19T13:46:59.741Z

Link: CVE-2026-6597

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T03:16:17.153

Modified: 2026-04-20T03:16:17.153

Link: CVE-2026-6597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T03:30:41Z

Weaknesses