CVE-2026-5025
Unauthorized Log Access via Insecure Authentication in Log Router
Publication date: 2026-03-27
Last updated on: 2026-04-20
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the '/logs' and '/logs-stream' endpoints of the log router. Any authenticated user can access these endpoints and read the full application log buffer.
The endpoints require only basic authentication (via 'get_current_active_user') and do not perform any privilege checks such as verifying if the user is a superuser.
How can this vulnerability impact me? :
Because any authenticated user can read the full application log buffer without privilege checks, sensitive information contained in the logs could be exposed to unauthorized users.
This could lead to information disclosure, potentially exposing confidential data or system details that could be leveraged for further attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows any authenticated user to read the full application log buffer without privilege checks, potentially exposing sensitive information contained in logs.
Such unauthorized access to sensitive log data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.