PT-2026-36200

Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.8.4 Description An issue exists where any user can provide a flow id to read transaction logs and vertex build data belonging to other users. Additionally, this allows for the deletion of persisted...

Security Bulletin: Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id

Summary Langflow OSS is affected by an insecure direct object reference vulnerability in its Monitor API due to missing authorization checks. Although these endpoints require authentication, they fail to verify ownership of the provided flowid, allowing any authenticated user to access or...