Langflow Unchained: Open Gates and Path Traversals in the AI Pipeline
Jan 2, 2026·6 min read·10 visits
Executive Summary (TL;DR)
The Langflow dev team forgot to lock the front door. Critical API endpoints—including log streams and user creation—lacked authentication checks. Combined with a path traversal vulnerability in the profile picture handler, unauthenticated attackers could fully compromise the instance, steal OpenAI/Anthropic keys, and exfiltrate server files.
Langflow, a popular visual framework for building AI agents, shipped with critical endpoints completely exposed to unauthenticated users. This vulnerability allowed attackers to stream live application logs (leaking API keys), create administrative users, and read arbitrary files via directory traversal.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:PAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Langflow langflow-ai | < 1.7.0.dev45 | 1.7.0.dev45 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-306 (Missing Authentication) |
| Secondary CWE | CWE-22 (Path Traversal) |
| CVSS v4.0 | 8.8 (High) |
| Attack Vector | Network |
| Privileges Required | None |
| Impact | Critical (Data Leakage, RCE potential) |
MITRE ATT&CK Mapping
The software does not prove that a claim of identity is correct when that claim is used to execute a critical function.