CVE-2026-34046
Insecure Direct Object Reference in Langflow Allows Unauthorized Flow Access
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow-ai | langflow | to 1.5.1 (exc) |
| langflow-ai | langflow-base | to 0.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated user to access, modify, or delete other users' flows, including sensitive data such as embedded plaintext API keys. Such unauthorized access and modification represent a failure in proper authorization controls, which can lead to breaches of confidentiality and integrity of user data.
Because the vulnerability exposes sensitive user data and allows unauthorized actions, it can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.
Can you explain this vulnerability to me?
CVE-2026-34046 is an Insecure Direct Object Reference (IDOR) vulnerability in the langflow tool, which is used for building and deploying AI-powered agents and workflows. The issue exists in the _read_flow helper function that handles requests to access flows by their UUID. Prior to version 1.5.1, when authentication was enabled (AUTO_LOGIN set to False), the function did not enforce ownership checks, allowing any authenticated user to access flows belonging to other users.
This flaw means that an authenticated user could read, modify, or delete flows owned by other users, including sensitive information such as embedded plaintext API keys. The vulnerability was caused by conditional logic intended to support public/example flows but inadvertently omitted ownership filtering when authentication was enabled. The fix in version 1.5.1 removed this conditional logic and enforced strict user ownership checks on flow access.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use langflow versions prior to 1.5.1. An attacker who is an authenticated user can:
- Read any other user's flows, potentially exposing sensitive data such as plaintext API keys embedded in those flows.
- Modify the logic of AI agents belonging to other users, which could alter their behavior or cause unintended actions.
- Delete flows owned by other users, leading to data loss and disruption of workflows.
Overall, this vulnerability compromises confidentiality, integrity, and availability of user data and workflows within langflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows any authenticated user to access flows belonging to other users without proper ownership checks. Detection involves verifying whether the API endpoint /api/v1/flow/{flow_id} improperly returns flow data for flows not owned by the authenticated user.
To detect this on your system, you can perform authenticated API requests to the flow retrieval endpoint with flow IDs that belong to other users and observe if the system returns data without proper authorization errors.
Example commands using curl (replace placeholders accordingly):
- curl -H "Authorization: Bearer <token_of_user_A>" https://<langflow_host>/api/v1/flow/<flow_id_of_user_B>
- If the response returns flow data belonging to user B while authenticated as user A, the vulnerability is present.
Additionally, reviewing logs or monitoring API requests for cross-user flow access without proper authorization can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade langflow to version 1.5.1 or later, where the vulnerability is fixed by removing the AUTO_LOGIN conditional and enforcing strict user ownership filtering on flow access.
If upgrading immediately is not possible, restrict access to the vulnerable API endpoints to trusted users only and monitor for suspicious activity.
Review and apply the patch from pull request #8956 which refactors the flow retrieval logic to enforce user-based filtering.
Ensure that authentication is properly configured and that the AUTO_LOGIN setting is not used in a way that bypasses ownership checks.
Implement monitoring and alerting for unauthorized access attempts to flows.