CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 5 hours ago•4 views

CVE-2026-55255

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference IDOR vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in...

9.9CVSS

CVE-2026-55450

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the...

9.3CVSS

NVD•added 5 hours ago•4 views

CVE-2026-55423

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0...

6.1CVSS

Exploits0References3

CVE-2026-48519

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" or "Public Flows" in code contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessi...

9.6CVSS0.00092EPSS

CVE-2026-48520

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" or "Public Flows" in code contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of...

6.1CVSS0.00054EPSS

CVE-2026-42867

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API POST /api/v1/knowledgebases. This occurs because user-supplied knowledge base names are used directly to create file paths without...

6.5CVSS0.00056EPSS

NVD•added 5 hours ago•4 views

CVE-2026-33760

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without...

8.8CVSS0.00039EPSS

Cvelist•added 5 hours ago•5 views

CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

6.5CVSS0.00056EPSS

CVE•added 5 hours ago•12 views

CVE-2026-42867

CVE-2026-42867 – Langflow exposed path traversal via the Knowledge Bases API (POST /api/v1/knowledge_bases). The root cause is that user-supplied base names are concatenated into file paths without proper containment checks, allowing an authenticated attacker to create directories and write files...

6.5CVSS5.9AI score0.00056EPSS

Cvelist•added 5 hours ago•7 views

CVE-2026-55255 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

9.9CVSS

CVE•added 5 hours ago•17 views

CVE-2026-55255

Langflow4: CVE-2026-55255 describes an IDOR in POST /api/v1/responses that lets an authenticated user execute another user’s flow by supplying the victim’s flow ID. Root cause: get_flow_by_id_or_endpoint_name queries by UUID without verifying ownership in both UUID and endpoint_name paths, enabli...

9.9CVSS5.9AI score

EUVD•added 5 hours ago•3 views

EUVD-2026-38517

9.9CVSS5.9AI score

Cvelist•added 6 hours ago•6 views

CVE-2026-55423 Langflow: Logout button does not clear session

6.1CVSS

Exploits0References3

CVE•added 6 hours ago•14 views

CVE-2026-55423

CVE-2026-55423 affects Langflow prior to version 1.7.0, where the /logout flow fails to clear session data. Root cause: the logout endpoint did not delete cookies with matching attributes (httponly/samesite/secure/domain), so tokens persisted in local storage and cookies even after logout. Conseq...

6.1CVSS5.9AI score

Exploits0References3

Cvelist•added 6 hours ago•6 views

CVE-2026-55446 Langflow: Unauthenticated DoS through multipart form boundary file upload

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an...

7.5CVSS

CVE•added 6 hours ago•13 views

CVE-2026-55446

Langflow before version 1.0.19 is vulnerable to unauthenticated DoS on the /api/v1/files/upload/ endpoint by sending a multipart/form-data request with an extremely long boundary. The vulnerability allows an attacker to cause the server to become unusable for all users for an indefinite period, w...

7.5CVSS5.9AI score

EUVD•added 6 hours ago•3 views

EUVD-2026-38515

7.5CVSS5.9AI score

Cvelist•added 6 hours ago•6 views

CVE-2026-48519 Langflow: Unauthenticated RCE in Shareable Playgrounds

9.6CVSS0.00092EPSS

CVE•added 6 hours ago•27 views

CVE-2026-48519

Langflow CVE-2026-48519 exposes unauthenticated RCE via the Shareable Playground. Affected: Langflow prior to 1.9.2. Vulnerable route: /api/v1/build_public_tmp permits executing any public flow; payloads can inject arbitrary Python code into data.nodes[X].data.node.template.code.value. Impact is ...

9.6CVSS6.3AI score0.00092EPSS