PT-2026-37548

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description An issue exists where the set rps cpu function incorrectly assumes that the Receive Packet Steering RPS table for each receive queue is of a constant size and does not change. By passing...

CVE-2026-6542

IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flowid to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow...

EUVD-2026-26447

IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flowid to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow...

CVE-2026-6542

IBM Langflow OSS 1.0.0–1.8.4 is vulnerable to an authorization bypass in the Monitor API: any authenticated user can supply a flow_id to read another user’s transaction logs and vertex build data, and can delete persisted vertex build data for another user’s flow. Root cause cited as missing owne...

Security Bulletin: Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint

Summary IBM Langflow Desktop contains a vulnerability in its image retrieval functionality where the GET /api/v1/files/images/flowid/filename endpoint fails to enforce authentication and ownership validation, allowing any unauthenticated user to access image files by supplying a valid flow...

Security Bulletin: Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id

Summary Langflow OSS is affected by an insecure direct object reference vulnerability in its Monitor API due to missing authorization checks. Although these endpoints require authentication, they fail to verify ownership of the provided flowid, allowing any authenticated user to access or...

CVE-2026-5022

The '/api/v1/files/images/flowid/filename' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing or guessing the flow ID and file name...

CVE-2026-5022

The '/api/v1/files/images/flowid/filename' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing or guessing the flow ID and file name...

PT-2026-28736

The '/api/v1/files/images/flow id/file name' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing or guessing the flow ID and file name...

PT-2026-28597

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.5.1 Description Langflow is a tool for building and deploying AI-powered agents and workflows. A flaw exists in the read flow helper within src/backend/base/langflow/api/v1/flows.py. The code branched on the AUTO...

CVE-2026-33484

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

PYSEC-2026-80

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

CVE-2026-33484 Langflow has Unauthenticated IDOR on Image Downloads

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

CVE-2026-33484

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint, which allows unauthenticated access to image files by accepting flowid and filename as path parameters without verifying user authentication or ownership. An attacker can access...

GHSA-7GRX-3XCX-2XV5 langflow has Unauthenticated IDOR on Image Downloads

Summary The /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns the image with HTTP 200. Details src/backend/base/langflow/api/v1/files.py:138-164 — downloadimage takes...

langflow has Unauthenticated IDOR on Image Downloads

Summary The /api/v1/files/images/flowid/filename endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flowid and filename returns the image with HTTP 200. Details src/backend/base/langflow/api/v1/files.py:138-164 — downloadimage takes...

PT-2026-26771

Name of the Vulnerable Software and Affected Versions Langflow versions 1.0.0 through 1.8.1 Description Langflow versions 1.0.0 through 1.8.1 have an issue where the /api/v1/files/images/flow id/file name API endpoint serves image files without authentication or ownership verification. An...

EUVD-2025-29244

Malicious code in bioql PyPI...

EsafeNet CDG 安全漏洞

EsafeNet CDG is a document security management system from EsafeNet, China. A security vulnerability exists in EsafeNet CDG version 5.6.3.154.205, which originates from improper handling of the flowId parameter in the /CDGServer3/workflowE/useractivate/updateorg.jsp file, resulting in SQL injecti...