IBM Langflow Desktop Unauthenticated Insecure Direct Object Reference Vulnerability

An insecure direct object reference vulnerability has been identified in IBM Langflow Desktop versions 1.0.0 through 1.8.4. This vulnerability allows unauthenticated users to access images belonging to other users by exploiting a lack of proper authorization checks in the image retrieval feature. The issue arises in the 'GET /api/v1/files/images/{flow_id}/{file_name}' endpoint, where users can manipulate the flow identifier and filename to access unauthorized image files. This flaw could lead to the exposure of sensitive information contained in these images.

Impact

Exploitation of this vulnerability could result in unauthorized access to image files, potentially exposing sensitive information stored within those images.

Remediation

Users are advised to upgrade to IBM Langflow Desktop version 1.9.0 or newer. Instructions for downloading Langflow Desktop 1.9.0 are available on the Langflow website.