CVE-2026-33760 in langflow
Summary
by MITRE • 06/23/2026
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied. This vulnerability is fixed in 1.9.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/24/2026
The vulnerability identified in Langflow versions prior to 1.9.0 represents a critical authorization flaw that undermines the integrity of user data isolation within the platform's API ecosystem. This issue manifests through the /api/v1/monitor router which exposes seven distinct endpoints designed to manage user-owned resources including messages, sessions, build artifacts, and LLM transaction logs. The fundamental flaw lies in the complete absence of ownership verification mechanisms when processing requests for these sensitive operations. Authentication tokens are accepted but not validated against resource ownership, creating an environment where any authenticated user can execute read, write, or delete operations on resources belonging to other users through simple manipulation of target identifiers.
The technical implementation of this vulnerability follows a well-established pattern recognized in cybersecurity literature as IDOR (Insecure Direct Object Reference) and more specifically BOLA (Broken Object Level Authorization) as classified by the OWASP Top Ten. The affected endpoints lack proper access control checks that should verify whether the authenticated user has legitimate authorization to perform operations on the specified resource identifier or flow_id. This oversight allows attackers to exploit the system's trust in submitted identifiers without implementing necessary authorization gates. The vulnerability is particularly concerning because it affects multiple resource types within a single API endpoint, amplifying the potential impact of unauthorized access across different data domains.
The operational implications of this vulnerability extend beyond simple data theft to encompass complete data manipulation capabilities that can result in permanent data loss, information disclosure, and potential system compromise. An attacker could systematically enumerate resources by attempting to access various identifiers, potentially discovering and accessing sensitive user data including conversations, session information, build artifacts, and transaction logs that may contain confidential information. This vulnerability essentially eliminates the concept of user isolation within the platform, allowing unauthorized users to perform destructive operations such as renaming or permanently deleting critical data assets. The impact is particularly severe given that Langflow operates as a platform for AI-powered agents and workflows where these resources often contain proprietary information or sensitive operational data.
The vulnerability's resolution in version 1.9.0 demonstrates that the development team was aware of the correct implementation pattern, as evidenced by the presence of a single correctly-implemented endpoint within the same source file monitor.py. This inconsistency in implementation highlights a broader security awareness gap within the codebase and suggests that proper access control mechanisms were understood but not consistently applied across all endpoints. The fix likely involved implementing ownership verification checks for each of the vulnerable endpoints, ensuring that requests are validated against the authenticated user's ownership of the target resource before executing any operations. This incident aligns with ATT&CK framework techniques related to privilege escalation and credential access, where unauthorized users gain elevated privileges through improper access control implementations.
Security best practices dictate that all API endpoints handling user data should implement proper authorization checks using principles such as least privilege and principle of least authority. The vulnerability represents a failure in the authorization layer that could have been prevented through systematic code review processes, security testing protocols, and adherence to established secure coding guidelines. Organizations utilizing Langflow should immediately upgrade to version 1.9.0 or later and conduct comprehensive audits of their API endpoints to identify similar authorization gaps. The incident also underscores the importance of implementing consistent security controls across all application components rather than treating security as an afterthought, particularly when dealing with multi-tenant platforms where user data isolation is paramount for maintaining trust and regulatory compliance.