| Название | Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data |
|---|
| Описание | # Technical Details
An insecure data storage vulnerability exists in Langflow. The application fails to encrypt sensitive authentication credentials provided during project creation, storing them in plaintext within the database.
Two architectural flaws contribute to this issue:
1. The project creation endpoint skips the encryption step entirely for the `auth_settings` parameter.
2. The encryption mechanism itself utilizes a hardcoded allowlist (`SENSITIVE_FIELDS = ["oauth_client_secret", "api_key"]`). Any other non-standard sensitive fields (e.g., `db_password`, `secret_token`) bypass encryption universally.
# Vulnerable Code
File: `src/backend/base/langflow/api/v1/projects.py`, `src/backend/base/langflow/services/auth/mcp_encryption.py`
Method: `create_project()` / `encrypt_auth_settings()`
Why: In `projects.py`, newly created Folder objects are committed directly to the database session without invoking any encryption routines on the `auth_settings` dictionary. Additionally, `encrypt_auth_settings` in `mcp_encryption.py` is restricted to two hardcoded field names, ignoring all other customary sensitive keys.
# Reproduction
1. An authenticated user creates a new project using the `POST /api/v1/projects/` endpoint, passing a JSON body such as `{"name":"TestInsecure", "auth_settings":{"db_password":"SECRET123"}}`.
2. The backend commits this data to the database in plaintext.
3. Any user retrieving the project using `GET /api/v1/projects/<id>` receives the exact plain-text response `{"auth_settings": {"db_password": "SECRET123"}}`.
# Impact
- High-severity Information Leak: All credentials stored under unrecognized keys (or via the initial creation endpoint) remain fully exposed.
- Database compromise immediately leaks plaintext API keys and downstream infrastructure passwords to attackers.
|
|---|
| Источник | ⚠️ https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213 |
|---|
| Пользователь | Eric-f (UID 96873) |
|---|
| Представление | 28.03.2026 14:43 (23 дни назад) |
|---|
| Модерация | 19.04.2026 15:47 (22 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 358233 [langflow-ai langflow до 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings раскрытие информации] |
|---|
| Баллы | 20 |
|---|