Volerion logoVolerion
Volerion logoVolerion

Langflow API Key Deletion Vulnerability Allows Unauthorized Key Removal

Vulnerability

A vulnerability exists in Langflow versions prior to 1.9.0 in the delete_api_key_route() endpoint, which allows authenticated users to delete API keys belonging to other users. The endpoint accepts an api_key_id parameter and performs deletion with only a basic authentication check, without verifying ownership of the API key. This flaw enables an authenticated attacker to guess or discover API key IDs and delete them, potentially leading to account takeover and disruption of integrations.

Impact

Exploitation of this vulnerability allows an authenticated user to delete API keys of other users, leading to account takeover and disruption of services that rely on those API keys.

Remediation

Users are advised to update Langflow to version 1.9.0 or later, where this vulnerability has been patched.

Added: Mar 20, 2026, 7:20 AM
Updated: Mar 20, 2026, 7:20 AM

Vulnerability Rating

Custom Algorithm
spread
2.6
impact
2.5
exploitability
4.5
remediation
7.7
relevance
4.2
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.