Langflow Missing Authentication Vulnerability on Critical API Endpoints

A vulnerability exists in Langflow prior to version 1.7.0.dev45, where multiple critical API endpoints lack proper authentication controls. This oversight allows any unauthenticated user to access sensitive user conversation data, transaction histories, and execute destructive actions such as deleting messages. The affected endpoints handle personal data and system operations that should require authorization.

Impact

The vulnerability leads to unauthorized access to user conversations and transaction histories, allowing for privacy violations and potential data breaches. Additionally, it enables the deletion of user messages, creating a risk of data loss.

Reproduction

To reproduce this vulnerability, start a Langflow server instance without authentication headers or API keys. Then, access the vulnerable endpoints: '/api/v1/monitor/messages' to retrieve user messages, '/api/v1/monitor/transactions' to access transaction histories, and '/api/v1/monitor/messages/session/{session_id}' to delete messages from a specific session. All these actions can be performed without authentication, exposing sensitive data and allowing unauthorized message deletions.

Remediation

Langflow version 1.7.0.dev45 has been patched to include authentication on the affected endpoints. Users should update to this version.