CVE-2026-33760
Awaiting Analysis Awaiting Analysis - Queue
IDOR Vulnerability in Langflow Prior to 1.9.0

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources β€” messages, sessions, build artifacts, and LLM transaction logs β€” without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied. This vulnerability is fixed in 1.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-33760
EUVD
EUVD-2026-38519
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
langflow-ai langflow to 1.9.0 (exc)
langflow-ai langflow to 1.7.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33760 is an Insecure Direct Object Reference (IDOR) or Broken Object Level Authorization (BOLA) vulnerability in the Langflow Monitor API. It affects versions of Langflow up to 1.7.3 and allows authenticated users to access, modify, or delete another user's data without proper ownership verification.

The vulnerability exists in seven endpoints in the /api/v1/monitor router, which handle operations on user-owned resources like messages, sessions, build artifacts, and LLM transaction logs. These endpoints fail to enforce ownership checks, enabling attackers to read sensitive data, tamper with messages, rename sessions, or delete entire sessions and build records by supplying another user's resource ID or flow ID.

Notably, the same source file contains one correctly-implemented endpoint that uses an ownership check, showing that the correct pattern was known but inconsistently applied. The issue was fixed in Langflow version 1.9.0 and later.

Impact Analysis

This vulnerability can have serious impacts including breaches of confidentiality, integrity, and availability of your data.

  • Confidentiality breaches: Attackers can expose sensitive data such as LLM conversation history and workflow state.
  • Integrity risks: Attackers can corrupt chat history, audit trails, and other user data by modifying or renaming resources.
  • Availability threats: Attackers can permanently delete sessions, build artifacts, and other user-owned resources, causing data loss.

The vulnerability has a high severity score of 8.8 (CVSS v3) due to its low attack complexity and the fact that only authentication is required to exploit it.

Detection Guidance

This vulnerability can be detected by monitoring and testing the /api/v1/monitor endpoints for improper access control. Specifically, you can attempt to access, modify, or delete resources such as messages, sessions, build artifacts, or LLM transaction logs by supplying resource IDs or flow IDs that belong to other users.

Commands or methods to detect this vulnerability may include sending authenticated HTTP requests to the vulnerable endpoints with resource IDs of other users and observing if the operations succeed without ownership verification.

  • Use curl or similar tools to send requests to endpoints like `/api/v1/monitor/messages/{id}`, `/api/v1/monitor/sessions/{id}`, etc., with resource IDs not owned by the authenticated user.
  • Example curl command to test read access: `curl -X GET -H "Authorization: Bearer <token>" https://<langflow-host>/api/v1/monitor/messages/<other_user_message_id>`
  • Example curl command to test delete access: `curl -X DELETE -H "Authorization: Bearer <token>" https://<langflow-host>/api/v1/monitor/sessions/<other_user_session_id>`

If these requests succeed in accessing or modifying data not owned by the authenticated user, the system is vulnerable.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Langflow to version 1.9.0 or later, where this vulnerability has been fixed by properly enforcing ownership checks on all /api/v1/monitor endpoints.

Until the upgrade can be performed, consider restricting access to the /api/v1/monitor endpoints to trusted users only, or disabling these endpoints if possible.

Additionally, monitor logs for suspicious activity involving access to resources by users other than the owners.

Compliance Impact

This vulnerability allows authenticated users to access, modify, or delete other users' data without proper authorization, leading to breaches of confidentiality, integrity, and availability of sensitive information.

Such unauthorized access and manipulation of user data can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to ensure privacy, data integrity, and availability.

Specifically, the exposure of conversation history and workflow states, as well as the potential for data corruption or deletion, could violate requirements for protecting personal data and maintaining audit trails under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart