CVE-2026-4502

CVE-2026-4502 affects Langflow OSS Desktop and Langflow v2 API: authenticated attackers can exploit path traversal via /../ in multipart uploads to write arbitrary files and potentially achieve remote code execution. In IBM bulletins, Langflow OSS versions 1.2.0–1.8.4 are vulnerable through the f...

EUVD-2026-23762

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function getclientip/installmcpconfig of the file src/backend/base/langflow/api/v1/mcpprojects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument...

Langflow Missing Authentication on Critical API Endpoints

Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal dat...

GHSA-C5CP-VX83-JHQX Langflow Missing Authentication on Critical API Endpoints

Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal dat...

MAL-2025-48030 Malicious code in langflow-api-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0d493794349f9fd072b31947424562afcd5b86b1fd642a42cf613d4b363f5cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview langflow-api-chat is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in langflow-api-chat (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b0d493794349f9fd072b31947424562afcd5b86b1fd642a42cf613d4b363f5cb Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Exploit for Code Injection in Langflow

⚠️ Langflow RCE Exploit Scanner CVE-2025-3248 This Python-b...

CVE-2024-37014

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/customcomponent" endpoint and provide a Python script...