Primary

Context

IBM Langflow OSS Insecure Direct Object Reference Vulnerability Allowing Cross-User Data Access and Deletion

Vulnerability

An insecure direct object reference vulnerability has been identified in IBM Langflow OSS versions 1.0.0 through 1.8.4. This vulnerability allows authenticated users to manipulate data belonging to other users by supplying arbitrary flow_id values. The affected Monitor API endpoints lack proper authorization checks, enabling access to sensitive transaction logs and vertex build data from other users' flows. Additionally, this vulnerability allows for the deletion of persisted vertex build data for another user's flow.

Impact

Exploitation of this vulnerability could lead to unauthorized access to and manipulation of another user's transaction logs and vertex build data, including the deletion of build data.

Remediation

Users are advised to upgrade to Langflow OSS version 1.9.0 or newer.

Added: Apr 30, 2026, 10:22 PM

Updated: Apr 30, 2026, 10:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

5.2

remediation

0.0

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

IBM Langflow OSS Insecure Direct Object Reference Vulnerability Allowing Cross-User Data Access and Deletion

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating