Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the api/v1/validate/code endpoint. A low-privileged user can gain administrative privileges by executing the /app/.venv/bin/langflow superuser command. Remediation Upgrade langflow-base to version 0.5.1 or...

📄 Langflow 1.2.x Remote Code Execution

Langflow exposes a vulnerable endpoint /api/v1/validate/code that improperly evaluates arbitrary Python code via the exec function. An unauthenticated remote attacker can execute arbitrary system commands. Versions 1.2.x and below are affected. !/usr/bin/env python3 Exploit Title: Langflow 1.2.x ...

Langflow Code Injection

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code...

VulnCheck KEV: CVE-2025-3248

Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests...

PYSEC-2025-36

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrarycode...