Langflow, an open-source tool for building and deploying AI agents and workflows, has been disclosed with a series of...
Langflow, an open-source tool for building and deploying AI agents and workflows, has been disclosed with a series of severe security vulnerabilities, as reported by multiple OSV advisories.
confidence score
Strong evidence: 2 independent source classes support this read.
signal brief
Langflow, an open-source tool for building and deploying AI agents and workflows, has been disclosed with a series of severe security vulnerabilities, as reported by multiple OSV advisories. Between June 16 and June 29, 2026, at least 10 distinct CVEs were published, covering remote code execution (RCE), path traversal, insecure direct object references (IDOR), unauthenticated DoS, arbitrary file read, and session management flaws.
What the sources said:
- OSV advisory GHSA-v5ff-9q35-q26f (RCE in Shareable Playground): "The vulnerable field is data.nodes[X].data.node.template.code.value." source
- OSV advisory GHSA-rcjh-r59h-gq37 (file read via Shareable Playground): "The files path can be any path supported by the storage - local file or S3 path." source
- OSV advisory PYSEC-2026-224 (unauthenticated DoS and info leak): "unauthenticated users can upload any amount of data to the server without any limitations." source
- OSV advisory PYSEC-2026-242 (IDOR in Monitor API): "Any authenticated user can read, modify, rename, or permanently delete another user's data." source
The vulnerabilities affect multiple versions, with fixes released in versions 1.7.0 through 1.10.0. The high number and severity of these flaws, including RCE and unauthenticated exploits, significantly undermine trust in Langflow as a secure platform for building AI workflows. This may lead to decreased adoption, migration to alternatives, and increased scrutiny from enterprise customers, impacting Langflow's position in the AI developer tool ecosystem.
source data used
“A Python package with a built-in web application”
“Aliases: CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint”
“Aliases: CVE-2026-55423, PYSEC-2026-222 Langflow: Logout button does not clear session”
“Aliases: CVE-2026-33760, PYSEC-2026-242 Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints”
“Aliases: CVE-2026-55447, PYSEC-2026-378 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-55255, PYSEC-2026-221 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow”
“Aliases: CVE-2026-55446, PYSEC-2026-223 Langflow: Unauthenticated DoS through multipart form boundary file upload”
“Aliases: CVE-2026-48520, PYSEC-2026-244 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read”
“Aliases: CVE-2026-48519, PYSEC-2026-243 Langflow: Unauthenticated RCE in Shareable Playgrounds”
“Aliases: CVE-2026-55450, PYSEC-2026-224 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak”
“Aliases: CVE-2026-55255, GHSA-qrpv-q767-xqq2 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow...”
“Aliases: CVE-2026-55423, GHSA-7hw8-6q6r-4276 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly...”
“Aliases: CVE-2026-55446, GHSA-qwqc-p3q8-wcg9 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form...”
“Aliases: CVE-2026-55450, GHSA-x223-p2gf-v735 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any...”
“Aliases: CVE-2026-33760, GHSA-9c59-2mvc-vfr8 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages,...”
“Aliases: CVE-2026-48519, GHSA-v5ff-9q35-q26f Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by...”
“Aliases: CVE-2026-48520, GHSA-rcjh-r59h-gq37 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact...”
“Aliases: CVE-2026-27966, GHSA-3645-fxcv-hqr4 Langflow has Remote Code Execution in CSV Agent”
“Aliases: CVE-2026-42048, GHSA-9whx-c884-c68q Langflow Knowledge Bases API is Vulnerable to Path Traversal”
“Aliases: CVE-2026-55447, GHSA-ccv6-r384-xp75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-33017, GHSA-vwmf-pq79-vjvx Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.