CVE-2026-33053
Insecure Direct Object Reference in Langflow API Key Deletion
Publication date: 2026-03-20
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | to 1.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33053 is an Insecure Direct Object Reference (IDOR) vulnerability in the langflow-ai/langflow project. The vulnerability occurs because the delete_api_key() function deletes API keys without verifying that the key belongs to the currently authenticated user.
Specifically, the delete_api_key_route endpoint accepts an api_key_id parameter and calls delete_api_key() without checking ownership. This means an authenticated attacker can delete API keys of other users by guessing or enumerating their API key IDs.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to delete API keys belonging to other users. The impacts include:
- Account takeover by disrupting legitimate API key access.
- Denial of service by deleting keys and preventing legitimate API usage.
- Disruption of integrations relying on those API keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the deletion of API keys without verifying ownership, which can be detected by monitoring API requests to the delete_api_key_route endpoint for suspicious activity.
Specifically, detection can focus on identifying requests where an authenticated user attempts to delete API keys that do not belong to them.
Since the vulnerability allows an attacker to enumerate or guess API key UUIDs, commands or scripts that attempt to delete API keys by iterating over possible UUIDs could indicate exploitation attempts.
However, no specific detection commands or tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to modify the delete_api_key_route endpoint and the delete_api_key() function to verify that the API key being deleted belongs to the current authenticated user.'}, {'type': 'paragraph', 'content': 'This involves passing the current_user parameter to the delete_api_key() function and checking ownership before deletion.'}, {'type': 'list_item', 'content': 'If the API key does not belong to the current user, the system should raise a 403 Forbidden HTTP error to prevent unauthorized deletion.'}, {'type': 'list_item', 'content': "Example fix code snippet: if api_key.user_id != user_id: raise HTTPException(status_code=403, detail='Unauthorized')"}, {'type': 'paragraph', 'content': 'This fix ensures that only the owner of an API key can delete it, preventing account takeover, denial of service, and disruption of integrations.'}] [1]