In June 2026, multiple security advisories were published for Langflow, highlighting critical vulnerabilities.

In June 2026, multiple security advisories were published for Langflow, highlighting critical vulnerabilities. These include path traversal in the Knowledge Bases API (CVE-2026-42867, source), IDOR in the Monitor API with missing ownership enforcement on 7 endpoints (CVE-2026-33760, source), arbitrary file read and RCE via BaseFileComponent-based nodes (CVE-2026-55447, source), IDOR in /api/v1/responses allowing access to other users' flows (CVE-2026-55255, source), unauthenticated DoS through multipart form boundary file upload (CVE-2026-55446, source), unauthenticated shareable playground arbitrary local or S3 file read (CVE-2026-48520, source), unauthenticated RCE in shareable playgrounds (CVE-2026-48519, source), and unauthenticated file upload leading to DoS and information leak (CVE-2026-55450, source). A session not cleared on logout was also reported (CVE-2026-55423, source). These security issues pose significant risks to users and their data, potentially undermining trust in the platform. The volume and severity of vulnerabilities indicate a need for urgent remediation and suggest potential future impact on adoption and enterprise use.