Executive Summary

CVE-2026-21445 is a vulnerability in Langflow versions prior to 1.7.0.dev45 where multiple critical API endpoints lack proper authentication controls. This means unauthenticated users can access sensitive user conversation data, transaction histories, and perform destructive actions such as deleting messages. Specifically, three API endpoints in the monitoring module do not require authentication, allowing attackers to retrieve or delete user data without any credentials. This is classified as Broken Authentication and Authorization, leading to potential data breaches and privacy violations. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive personal conversation data and transaction histories. Attackers can also delete user messages without authorization, leading to data loss. The exposure of such data can result in privacy violations, data breaches, and loss of trust. Additionally, attackers may gather intelligence on system usage, which could be leveraged for further attacks or exploitation. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability leads to unauthorized access and potential exposure of personal data, which can cause non-compliance with data protection regulations such as GDPR and CCPA. Since sensitive user data is accessible without proper authorization, organizations using affected Langflow versions may violate privacy and data security requirements mandated by these regulations, potentially resulting in legal and financial penalties. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoints without authentication and observing if sensitive data is returned or destructive actions are allowed. Specifically, you can send unauthenticated HTTP requests to the following endpoints: 1. GET /api/v1/monitor/messages 2. GET /api/v1/monitor/transactions 3. DELETE /api/v1/monitor/messages/session/{session_id} If these endpoints respond successfully without requiring authentication headers or API keys, the system is vulnerable. Example commands using curl: - Retrieve messages: curl -v http://<host>/api/v1/monitor/messages - Retrieve transactions: curl -v http://<host>/api/v1/monitor/transactions - Delete messages by session: curl -v -X DELETE http://<host>/api/v1/monitor/messages/session/<session_id> Replace <host> and <session_id> accordingly. Successful responses without authentication indicate the vulnerability is present. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Langflow to version 1.7.0.dev45 or later, which contains the patch enforcing authentication and authorization on the affected endpoints. If upgrading is not immediately possible, apply the patch manually by adding the FastAPI dependency `Depends(get_current_active_user)` to the vulnerable API route decorators for `/api/v1/monitor/messages`, `/api/v1/monitor/transactions`, and `/api/v1/monitor/messages/session/{session_id}` to require authenticated access. Additionally, review and enforce authentication on other sensitive endpoints as described in the patch. Ensure that no unauthenticated access is allowed to sensitive user data or destructive operations. Finally, monitor logs and access patterns for any unauthorized access attempts. [1, 2]

Useful 0 Not Useful 0