Langflow fixes IDOR letting authenticated users execute other users’ flows
Langflow disclosed a high-impact insecure direct object reference vulnerability, tracked as GHSA-qrpv-q767-xqq2, that allowed any authenticated user on affected deployments to access and execute another user’s flow through the /api/v1/responses endpoint. The flaw affected pip package versions earlier than 1.9.1 and stemmed from backend logic that resolved flows by UUID without verifying ownership, enabling an attacker to submit a victim’s flow UUID and receive the resulting output. Successful exploitation could expose sensitive data processed by the victim’s flow and consume the victim’s compute resources.
The fix, merged in PR #12832, added ownership checks for both UUID- and endpoint-name-based flow lookups and changed unauthorized access handling to return 404 instead of 403 to avoid revealing whether a target flow exists. Langflow also hardened related routes, including /api/v1/run, /api/v1/run/session, and /api/v1/run/advanced, to close similar unscoped dependency patterns, and added regression tests covering cross-user access, malformed user_id inputs, and the reported proof of concept. Users are advised to upgrade to 1.9.1 or later.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Langflow publishes advisory for GHSA-qrpv-q767-xqq2
Langflow disclosed a high-impact IDOR vulnerability, tracked as GHSA-qrpv-q767-xqq2, affecting pip package versions earlier than 1.9.1. The advisory said authenticated attackers could access and execute another user’s flow through /api/v1/responses by supplying the victim’s flow UUID, potentially exposing sensitive data and consuming victim resources.
Langflow merges fix for IDOR in flow lookup helper
Langflow merged PR #12832 to fix an insecure direct object reference vulnerability in get_flow_by_id_or_endpoint_name that allowed authenticated users to execute other users’ flows via the /api/v1/responses endpoint. The remediation added ownership checks for UUID and endpoint-name lookups, hardened related run routes, and added regression tests.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow · Advisory · langflow-ai/langflow · GitHub
github.com
Open sourcefix(security): close IDOR in get_flow_by_id_or_endpoint_name (LE-639) by erichare · Pull Request #12832 · langflow-ai/langflow · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Langflow patched unauthenticated file upload in deprecated API endpoint
Langflow disclosed and fixed a vulnerability in the deprecated `POST /api/v1/upload/{flow_id}` endpoint that allowed unauthenticated users to upload arbitrary amounts of data without effective access control or flow validation. The flaw exposed affected servers to disk space exhaustion and denial-of-service, and the API response also revealed the absolute filesystem path of uploaded files. The issue was demonstrated against commit `2d67402` using any UUID as `flow_id`, showing that attackers could write data into a flow cache folder even without authorization. The fix was merged through PR `#12831` and released in **Langflow 1.9.1**, reusing the existing `get_flow` dependency to require authentication and verify flow ownership on the deprecated route. Maintainers also added file-size enforcement so oversized uploads now return **HTTP 413**, updated SDK helpers to support API-key authentication, and added regression tests covering unauthenticated rejection, authenticated uploads, oversized file handling, and `401` responses. After the patch, absolute file paths may still be returned, but only to the authenticated owner of the flow.
Jun 19, 2026
Langflow Flaws Enable Cross-Tenant Access and Fuel Cryptominer Intrusions
Multiple vulnerabilities in **Langflow** have exposed AI application deployments to both account-to-account abuse and active compromise. **`CVE-2026-33760`** affects versions before **1.9.0** and allows authenticated users to read, modify, rename, or delete other users’ messages, sessions, build artifacts, and LLM transaction logs through seven `/api/v1/monitor` endpoints that fail to enforce ownership checks. A separate flaw, **`CVE-2026-55255`**, affects versions before **1.9.2** and lets an authenticated attacker execute another user’s flow through the `/api/v1/responses` endpoint by supplying a victim `flow_id`, giving the issue a critical **CVSS 9.9** rating. At the same time, defenders are tracking a cryptocurrency-mining campaign exploiting **`CVE-2026-33017`**, an unauthenticated remote code execution bug in Langflow, to compromise exposed instances and deploy Monero miners. Threat research says the malware disables security controls, installs persistence, and can enable lateral movement through reused SSH keys; observed infrastructure includes **`83.142.209.214`** and **`94.156.64.241`**. Organizations running Langflow are being urged to upgrade to **1.9.0** and **1.9.2** or later as applicable, verify access-control enforcement, restrict public exposure of Langflow services, and treat signs of miner activity or unauthorized flow execution as a significant incident.
Jun 24, 2026
Actively Exploited Langflow RCE Exposed AI Pipeline Secrets and Triggered CISA KEV Listing
Threat actors rapidly exploited **CVE-2026-33017**, a critical unauthenticated remote code execution flaw in Langflow’s public flow build endpoint, allowing arbitrary Python code to reach an unsandboxed `exec()` path with a single crafted request. The bug affects Langflow versions prior to **1.9.0** and stems from the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint accepting attacker-controlled flow data through an optional parameter. Researchers and vendor advisories said the issue is distinct from **CVE-2025-3248** because the vulnerable endpoint is intentionally public, meaning the fix required removing attacker-supplied flow data from that execution path rather than simply adding authentication. Sysdig and other researchers reported exploitation beginning within about **20 hours** of disclosure, with attackers scanning for exposed instances, validating code execution, reading files such as `.env`, `.db`, and `/etc/passwd`, stealing credentials, API keys, and database secrets, and attempting follow-on payload delivery from infrastructure including `173.212.205[.]251:8443`. The severity prompted **CISA** to add the flaw to its **Known Exploited Vulnerabilities** catalog and order federal agencies to remediate by **April 8, 2026** or discontinue use if they could not secure affected systems. Security guidance across the reports urged organizations to upgrade to **Langflow 1.9.0 or later**, restrict or remove internet exposure of the vulnerable endpoint, monitor outbound connections, and rotate secrets if compromise is suspected.
Jun 8, 2026