| शीर्षक | Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data |
|---|
| विवरण | # Technical Details
An insecure data storage vulnerability exists in Langflow. The application fails to encrypt sensitive authentication credentials provided during project creation, storing them in plaintext within the database.
Two architectural flaws contribute to this issue:
1. The project creation endpoint skips the encryption step entirely for the `auth_settings` parameter.
2. The encryption mechanism itself utilizes a hardcoded allowlist (`SENSITIVE_FIELDS = ["oauth_client_secret", "api_key"]`). Any other non-standard sensitive fields (e.g., `db_password`, `secret_token`) bypass encryption universally.
# Vulnerable Code
File: `src/backend/base/langflow/api/v1/projects.py`, `src/backend/base/langflow/services/auth/mcp_encryption.py`
Method: `create_project()` / `encrypt_auth_settings()`
Why: In `projects.py`, newly created Folder objects are committed directly to the database session without invoking any encryption routines on the `auth_settings` dictionary. Additionally, `encrypt_auth_settings` in `mcp_encryption.py` is restricted to two hardcoded field names, ignoring all other customary sensitive keys.
# Reproduction
1. An authenticated user creates a new project using the `POST /api/v1/projects/` endpoint, passing a JSON body such as `{"name":"TestInsecure", "auth_settings":{"db_password":"SECRET123"}}`.
2. The backend commits this data to the database in plaintext.
3. Any user retrieving the project using `GET /api/v1/projects/<id>` receives the exact plain-text response `{"auth_settings": {"db_password": "SECRET123"}}`.
# Impact
- High-severity Information Leak: All credentials stored under unrecognized keys (or via the initial creation endpoint) remain fully exposed.
- Database compromise immediately leaks plaintext API keys and downstream infrastructure passwords to attackers.
|
|---|
| स्रोत | ⚠️ https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213 |
|---|
| उपयोगकर्ता | Eric-f (UID 96873) |
|---|
| सबमिशन | 28/03/2026 02:43 PM (23 दिन पहले) |
|---|
| संयम | 19/04/2026 03:47 PM (22 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 358233 [langflow-ai langflow तक 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings सूचना का प्रकटीकरण] |
|---|
| अंक | 20 |
|---|