Executive Summary

This vulnerability exists in langflow-ai langflow up to version 1.8.3, specifically in the function remove_api_keys/has_api_terms within the file src/backend/base/langflow/api/utils/core.py of the Flow Using API component.

The issue causes unprotected storage of credentials, meaning sensitive API keys or credentials are not properly secured.

An attacker can exploit this vulnerability remotely to access these unprotected credentials.

The exploit has been made publicly available, increasing the risk of attacks.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to unauthorized access to stored API credentials due to their unprotected storage.

Attackers exploiting this weakness remotely could potentially misuse these credentials to access or manipulate systems or data that rely on them.

This could result in compromised security, unauthorized actions, or data breaches depending on how the credentials are used.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes unprotected storage of credentials, which can lead to unauthorized access to sensitive information.

Such unprotected storage of credentials may result in non-compliance with common standards and regulations like GDPR and HIPAA, which require proper protection of sensitive data and credentials to ensure confidentiality and security.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by examining exported flow JSON files from Langflow for the presence of sensitive credentials that should have been redacted but remain in plaintext.

Specifically, check for sensitive fields such as passwords or secrets that do not follow the "api key" naming pattern and verify if they are exposed in exported data.

A practical approach is to export flows via the Langflow API and inspect the JSON output for fields like "password", "db_password", or "secret_value" that contain plaintext secrets.

For example, you can use command-line tools like grep or jq to search for these fields in exported JSON files:

• grep -i -E 'password|secret|db_password' exported_flow.json
• jq '.nodes[] | select(.password == true) | {field: .name, value: .value}' exported_flow.json

If such fields contain non-null values, it indicates the vulnerability is present and sensitive data is not properly redacted.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Langflow to a version later than 1.7.3 where this vulnerability has been patched.

Until an upgrade is possible, avoid exporting flows that contain sensitive credentials with names that do not follow the "api key" pattern, or manually sanitize exported JSON files to remove or redact sensitive fields.

Additionally, restrict access to the Langflow API and exported flow files to trusted and authenticated users only, to reduce the risk of credential exposure.

Review and rename sensitive fields in your flows to include "api key" or "token" in their names if possible, to ensure they are redacted by the existing heuristic until a patch is applied.

Useful 0 Not Useful 0