提出 #791921: Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data情報

タイトル	Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data
説明	# Technical Details An insecure data storage vulnerability exists in Langflow. The application fails to encrypt sensitive authentication credentials provided during project creation, storing them in plaintext within the database. Two architectural flaws contribute to this issue: 1. The project creation endpoint skips the encryption step entirely for the `auth_settings` parameter. 2. The encryption mechanism itself utilizes a hardcoded allowlist (`SENSITIVE_FIELDS = ["oauth_client_secret", "api_key"]`). Any other non-standard sensitive fields (e.g., `db_password`, `secret_token`) bypass encryption universally. # Vulnerable Code File: `src/backend/base/langflow/api/v1/projects.py`, `src/backend/base/langflow/services/auth/mcp_encryption.py` Method: `create_project()` / `encrypt_auth_settings()` Why: In `projects.py`, newly created Folder objects are committed directly to the database session without invoking any encryption routines on the `auth_settings` dictionary. Additionally, `encrypt_auth_settings` in `mcp_encryption.py` is restricted to two hardcoded field names, ignoring all other customary sensitive keys. # Reproduction 1. An authenticated user creates a new project using the `POST /api/v1/projects/` endpoint, passing a JSON body such as `{"name":"TestInsecure", "auth_settings":{"db_password":"SECRET123"}}`. 2. The backend commits this data to the database in plaintext. 3. Any user retrieving the project using `GET /api/v1/projects/<id>` receives the exact plain-text response `{"auth_settings": {"db_password": "SECRET123"}}`. # Impact - High-severity Information Leak: All credentials stored under unrecognized keys (or via the initial creation endpoint) remain fully exposed. - Database compromise immediately leaks plaintext API keys and downstream infrastructure passwords to attackers.
ソース	⚠️ https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
ユーザー	Eric-f (UID 96873)
送信	2026年03月28日 14:43 (23 日 ago)
モデレーション	2026年04月19日 15:47 (22 days later)
ステータス	承諾済み
VulDBエントリ	358233 [langflow-ai langflow 迄 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings 情報漏えい]
ポイント	20

◂ 前概要次 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!