Primary

Context

Langflow Missing Ownership Check Vulnerability Allows Unauthorized Flow Access and Modification

Vulnerability

Patched

A vulnerability in Langflow versions prior to 1.5.1 allows authenticated users to access, modify, and delete flows belonging to other users. The issue arises from a missing ownership check in the '_read_flow' helper, located in 'src/backend/base/langflow/api/v1/flows.py'. The vulnerability was introduced by conditional logic intended to support public or example flows under auto-login mode, which inadvertently left the authenticated user path unprotected. As a result, any authenticated user could read another user's flow, including embedded plaintext API keys, alter the logic of AI agents, or delete flows from other users.

Impact

Exploitation of this vulnerability could lead to unauthorized access to, and modification or deletion of, user flows, including sensitive information such as API keys.

Remediation

Users can upgrade to Langflow version 1.5.1 or later to address this vulnerability.

Added: Mar 27, 2026, 9:20 PM

Updated: Mar 27, 2026, 9:20 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.6

exploitability

5.1

remediation

7.7

relevance

4.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

5.6

exploitability

5.1

remediation

7.7

relevance

4.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Langflow Missing Ownership Check Vulnerability Allows Unauthorized Flow Access and Modification

Vulnerability

Impact

Remediation

Affected Products

Langflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating