Executive Summary

CVE-2026-55423 is a vulnerability in the Langflow application versions prior to 1.7.0 where the logout button does not properly clear the user's session.

The root cause is that the logout endpoint deletes authentication cookies without matching the original security parameters (such as HttpOnly, SameSite, Secure, and domain) used when the cookies were created. Because browsers require exact parameter matching to delete cookies, the authentication cookies remain active even after logout.

As a result, the previous user stays logged in unless another user explicitly logs in, which means users may mistakenly believe they have logged out while still being authenticated in the background.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to user accounts, especially on shared or public computers.

Since the session is not properly cleared on logout, a subsequent user may gain access to the previous user's session without needing to log in.

This poses a significant risk to confidentiality and integrity of user data, as sensitive information could be accessed or modified by unauthorized users.

The vulnerability has a CVSS score of 6.1, indicating a moderate severity with high impact on confidentiality and integrity but no impact on availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying whether the logout process properly clears authentication cookies. Specifically, check if the cookies such as refresh_token_lf, access_token_lf, apikey_tkn_lflw, and LANGFLOW_AUTO_LOGIN_OPTION remain present after logout.

On your system or network, you can monitor HTTP traffic to observe if the logout endpoint attempts to delete these cookies with the correct parameters (HttpOnly, SameSite, Secure, domain). If cookies persist after logout, the vulnerability may be present.

Suggested commands include using browser developer tools or command-line tools like curl or wget to inspect cookie headers before and after logout.

• Use curl to send a logout request and inspect Set-Cookie headers: curl -i -X POST https://your-langflow-instance/logout
• Use browser developer tools (Application tab) to check if authentication cookies are deleted after logout.
• Use network monitoring tools (e.g., Wireshark) to capture HTTP traffic and verify cookie deletion behavior.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Langflow to version 1.7.0 or later, where the logout endpoint properly clears all authentication cookies with matching parameters and the frontend clears cookies as well.

Until the upgrade can be applied, avoid using shared computers or environments where multiple users access the same Langflow instance without explicit re-login.

Additionally, consider manually clearing browser cookies related to Langflow after logout to prevent session persistence.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Langflow prior to version 1.7.0 causes the logout button to fail to clear the session properly, allowing previous users to remain logged in on shared computers. This poses a risk of unauthorized access to user sessions, which can lead to confidentiality and integrity breaches.

Such unauthorized access risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require proper session management and protection of personal and sensitive data to prevent unauthorized disclosure or access.

Specifically, the vulnerability is classified under CWE-613 (Insufficient Session Expiration), indicating that session credentials can be reused for unauthorized access, which is a violation of best practices for data protection mandated by these regulations.

The fix in version 1.7.0 ensures proper session termination by correctly deleting authentication cookies with matching parameters and clearing frontend cookies, thereby mitigating the risk and helping maintain compliance with these standards.

Useful 0 Not Useful 0