Langflow Missing Authorization Vulnerability in Image Download Endpoint

Vulnerability

A vulnerability exists in the Langflow application within the image download API endpoint. This endpoint lacks proper authentication and authorization checks, enabling any unauthenticated user to download images from any flow by simply knowing or guessing the flow ID and file name. The issue is present in the '/api/v1/files/images/{flow_id}/{file_name}' endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized access to images, potentially leading to the exposure of sensitive information contained within those images.

Added: Mar 27, 2026, 3:24 PM

Updated: Mar 27, 2026, 3:24 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

6.3

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

0.6

exploitability

6.3

remediation

0.0

relevance

4.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Langflow Missing Authorization Vulnerability in Image Download Endpoint

Vulnerability

Impact

Affected Products

Langflow

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating