Between June 16-19, 2026, several OSV advisories published critical vulnerabilities affecting Langflow, a Python...

Between June 16-19, 2026, several OSV advisories published critical vulnerabilities affecting Langflow, a Python package for building LLM applications. The advisories include path traversal (GHSA-79ph-745m-6wxq, CVE-2026-42867), IDOR/BOLA in Monitor API (GHSA-9c59-2mvc-vfr8, CVE-2026-33760), arbitrary file read with RCE (GHSA-ccv6-r384-xp75, CVE-2026-55447), IDOR in responses endpoint (GHSA-qrpv-q767-xqq2, CVE-2026-55255), unauthenticated DoS through multipart upload (GHSA-qwqc-p3q8-wcg9, CVE-2026-55446), unauthenticated S3 file read (GHSA-rcjh-r59h-gq37, CVE-2026-48520), unauthenticated RCE in Shareable Playgrounds (GHSA-v5ff-9q35-q26f, CVE-2026-48519), and unauthenticated DoS/file leak (GHSA-x223-p2gf-v735, CVE-2026-55450). Additionally, a logout session clearing issue was reported (GHSA-7hw8-6q6r-4276, CVE-2026-55423). Amidst these disclosures, Langflow released stable version 1.10.1 on June 23 and multiple dev releases (1.11.0.dev11-17) between June 18-24, suggesting active remediation. However, the cumulative security flaws erode trust in the tool and may drive users to seek alternatives, negatively impacting Langflow's adoption in enterprise AI-infra pipelines.