Multiple security advisories published via the OSV database (sourced from GitHub Security Advisories and NVD) reveal...
Multiple security advisories published via the OSV database (sourced from GitHub Security Advisories and NVD) reveal that Langflow, a popular low-code platform for building AI agents, has been affected by at least 15 distinct vulnerabilities since June 2026.
confidence score
Strong evidence: 3 independent source classes support this read.
signal brief
Multiple security advisories published via the OSV database (sourced from GitHub Security Advisories and NVD) reveal that Langflow, a popular low-code platform for building AI agents, has been affected by at least 15 distinct vulnerabilities since June 2026. These include remote code execution (RCE) via BaseFileComponent nodes (CVE-2026-55447) and the validate_code() function (CVE-2026-0770), unauthenticated denial-of-service via multipart form boundary (CVE-2026-55446), insecure direct object references (IDOR) in the /api/v1/responses endpoint (CVE-2026-55255) and the monitor API (CVE-2026-33760), path traversal in knowledge bases (CVE-2026-42867), server-side request forgery (CVE-2025-68477), and cleartext storage of authentication settings (CVE-2026-6598). Many of these vulnerabilities allow an authenticated or even unauthenticated attacker to read, modify, or delete flows, execute arbitrary code, or cause service disruption. The most severe issues affect versions prior to 1.9.2 and 1.10.0. The breadth and severity of these flaws raise significant concerns about Langflow's security posture, potentially eroding developer and enterprise trust in the platform and driving users to alternative AI orchestration tools. For an AI-infra market perspective, this could slow adoption of Langflow in production AI workloads, affecting its position in the developer tooling ecosystem.
What the sources said
- CVE-2026-55447 (RCE via BaseFileComponent): "Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit"
- CVE-2026-55255 (IDOR in /api/v1/responses): "Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID."
- CVE-2026-55446 (Unauthenticated DoS): "Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication... to make the langflow app unusable for all users for an indefinite amount of time."
- CVE-2026-33760 (IDOR in monitor API): "Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id."
source data used
“Stop fighting your tools Langflow is a powerful tool to build and deploy AI agents and MCP servers. It comes with batteries included and supports all major LLMs, vector databases and a growing library of AI...”
“A Python package with a built-in web application”
“Aliases: CVE-2026-55423, PYSEC-2026-222 Langflow: Logout button does not clear session”
“Aliases: CVE-2026-55447, PYSEC-2026-378 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-55255, PYSEC-2026-221 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow”
“Aliases: CVE-2026-55446, PYSEC-2026-223 Langflow: Unauthenticated DoS through multipart form boundary file upload”
“Aliases: CVE-2024-9277, GHSA-355v-2rjx-fpx7 Inefficient Regular Expression Complexity in langflow”
“Aliases: CVE-2025-68477, GHSA-5993-7p27-66g5 Langflow vulnerable to Server-Side Request Forgery”
“Aliases: CVE-2024-48061, GHSA-5p5r-57fx-pmfr Langflow vulnerable to remote code execution”
“Aliases: CVE-2026-21445, GHSA-c5cp-vx83-jhqx, PYSEC-2026-2571 Langflow Missing Authentication on Critical API Endpoints”
“Aliases: CVE-2026-0770, GHSA-g22f-v6f7-2hrh Langflow affected by Remote Code Execution via validate_code() exec()”
“Aliases: CVE-2026-55255, GHSA-qrpv-q767-xqq2 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow...”
“Aliases: CVE-2026-55423, GHSA-7hw8-6q6r-4276 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly...”
“Aliases: CVE-2026-55446, GHSA-qwqc-p3q8-wcg9 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form...”
“Aliases: CVE-2026-55450, GHSA-x223-p2gf-v735 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any...”
“Aliases: CVE-2026-33760, GHSA-9c59-2mvc-vfr8 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages,...”
“Aliases: CVE-2026-48519, GHSA-v5ff-9q35-q26f Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by...”
“Aliases: CVE-2026-48520, GHSA-rcjh-r59h-gq37 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact...”
“Aliases: CVE-2026-6597, GHSA-5jjf-wcvf-923w Langflow has an Information Leak through Incomplete API Key Redaction”
“Aliases: CVE-2026-42867, GHSA-79ph-745m-6wxq Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint”
“Aliases: CVE-2026-34046, GHSA-8c4j-f57c-35cf, PYSEC-2026-2570 Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check”
“Aliases: CVE-2026-6598, GHSA-9jpj-cph8-w449 Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint”
“Aliases: CVE-2026-6599, GHSA-v66p-f7x3-4794 Langflow vulnerable to injection”
“Aliases: CVE-2026-27966, GHSA-3645-fxcv-hqr4 Langflow has Remote Code Execution in CSV Agent”
“Aliases: CVE-2026-42048, GHSA-9whx-c884-c68q Langflow Knowledge Bases API is Vulnerable to Path Traversal”
“Aliases: CVE-2026-55447, GHSA-ccv6-r384-xp75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-33017, GHSA-vwmf-pq79-vjvx Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.