Enviar #791920: Langflow <= 1.8.3 Information Disclosureinformación

Título	Langflow <= 1.8.3 Information Disclosure
Descripción	# Technical Details An Information Disclosure vulnerability exists in Langflow. The application fails to properly redact sensitive credentials when exporting flow JSON files due to flawed logic in the `remove_api_keys` utility. The application only strips values if the field is marked as `password=True` AND its name strictly contains "api" AND ("key" or "token"). If a sensitive field is just named `password`, `secret_value`, or `db_password`, the redaction logic is completely bypassed, leaking the plain-text secret. # Vulnerable Code File: `src/backend/base/langflow/api/utils/core.py` Method: `remove_api_keys()` and helper `has_api_terms()` Why: Custom or generic sensitive fields (like database passwords or unrelated secrets) that do not match the restrictive `has_api_terms` naming heuristic are ignored by the redactor, even if they are explicitly flagged with `password=True` in the schema. # Reproduction 1. An attacker (or regular user) creates a flow containing a sensitive field (e.g. named "password") with `password=True`. 2. The user stores a highly sensitive string such as "SUPER_SECRET_VALUE" in this field. 3. The user downloads the flow using the API (`POST /api/v1/flows/download/`). 4. The downloaded JSON file reveals the raw plain-text secret "SUPER_SECRET_VALUE", as the `remove_api_keys` function wrongly decided to leave it intact. # Impact - Exposure of Sensitive Information: Database credentials, third-party service secrets, and other confidential data are leaked in exported JSON files. - Unauthorized actors gaining access to these flow exports can extract plaintext credentials and pivot to attack integrated external infrastructure.
Fuente	⚠️ https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
Usuario	Eric-d (UID 96861)
Sumisión	2026-03-28 14:36 (hace 23 días)
Moderación	2026-04-19 15:47 (22 days later)
Estado	Aceptado
Entrada de VulDB	358232 [langflow-ai langflow hasta 1.8.3 Flow Using API core.py remove_api_keys/has_api_terms escalada de privilegios]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Do you need the next level of professionalism?

Upgrade your account now!