In June 2026, Langflow published multiple security advisories on OSV, addressing a series of critical vulnerabilities...
In June 2026, Langflow published multiple security advisories on OSV, addressing a series of critical vulnerabilities in versions prior to fixes.
signal brief
In June 2026, Langflow published multiple security advisories on OSV, addressing a series of critical vulnerabilities in versions prior to fixes. The vulnerabilities include Remote Code Execution (RCE) in Shareable Playgrounds (GHSA-v5ff-9q35-q26f, PYSEC-2026-243), arbitrary file read via path traversal (GHSA-79ph-745m-6wxq, PYSEC-2026-377), IDOR/BOLA vulnerabilities affecting multiple endpoints (GHSA-9c59-2mvc-vfr8, GHSA-qrpv-q767-xqq2), unauthenticated file upload leading to DoS and information leak (GHSA-x223-p2gf-v735), and logout session not being cleared (GHSA-7hw8-6q6r-4276). These flaws could allow attackers to execute arbitrary code, access other users' data, or crash the service. The fixes are included in versions 1.0.19, 1.7.0, 1.9.0, 1.9.1, 1.9.2, and 1.10.0. The disclosure of such a high volume of critical vulnerabilities within a short period raises significant concerns about Langflow's security posture and may erode trust among developers and enterprises using the platform for AI workflow deployment. This could slow adoption, prompt security audits, and drive users to consider more mature alternatives.
evidence
- https://pypi.org/project/langflow/web
- https://osv.dev/vulnerability/GHSA-79ph-745m-6wxqweb
- https://osv.dev/vulnerability/GHSA-7hw8-6q6r-4276web
- https://osv.dev/vulnerability/GHSA-9c59-2mvc-vfr8web
- https://osv.dev/vulnerability/GHSA-ccv6-r384-xp75web
- https://osv.dev/vulnerability/GHSA-qrpv-q767-xqq2web
- https://osv.dev/vulnerability/GHSA-qwqc-p3q8-wcg9web
- https://osv.dev/vulnerability/GHSA-rcjh-r59h-gq37web
- https://osv.dev/vulnerability/GHSA-v5ff-9q35-q26fweb
- https://osv.dev/vulnerability/GHSA-x223-p2gf-v735web
- https://osv.dev/vulnerability/PYSEC-2026-221web
- https://osv.dev/vulnerability/PYSEC-2026-222web
- https://osv.dev/vulnerability/PYSEC-2026-223web
- https://osv.dev/vulnerability/PYSEC-2026-224web
- https://osv.dev/vulnerability/PYSEC-2026-242web
- https://osv.dev/vulnerability/PYSEC-2026-243web
- https://osv.dev/vulnerability/PYSEC-2026-244web
- https://osv.dev/vulnerability/PYSEC-2026-376web
- https://osv.dev/vulnerability/PYSEC-2026-377web
- https://osv.dev/vulnerability/PYSEC-2026-378web
- https://osv.dev/vulnerability/PYSEC-2026-379web
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.