Gửi #791920: Langflow <= 1.8.3 Information Disclosurethông tin

tiêu đề	Langflow <= 1.8.3 Information Disclosure
Mô tả	# Technical Details An Information Disclosure vulnerability exists in Langflow. The application fails to properly redact sensitive credentials when exporting flow JSON files due to flawed logic in the `remove_api_keys` utility. The application only strips values if the field is marked as `password=True` AND its name strictly contains "api" AND ("key" or "token"). If a sensitive field is just named `password`, `secret_value`, or `db_password`, the redaction logic is completely bypassed, leaking the plain-text secret. # Vulnerable Code File: `src/backend/base/langflow/api/utils/core.py` Method: `remove_api_keys()` and helper `has_api_terms()` Why: Custom or generic sensitive fields (like database passwords or unrelated secrets) that do not match the restrictive `has_api_terms` naming heuristic are ignored by the redactor, even if they are explicitly flagged with `password=True` in the schema. # Reproduction 1. An attacker (or regular user) creates a flow containing a sensitive field (e.g. named "password") with `password=True`. 2. The user stores a highly sensitive string such as "SUPER_SECRET_VALUE" in this field. 3. The user downloads the flow using the API (`POST /api/v1/flows/download/`). 4. The downloaded JSON file reveals the raw plain-text secret "SUPER_SECRET_VALUE", as the `remove_api_keys` function wrongly decided to leave it intact. # Impact - Exposure of Sensitive Information: Database credentials, third-party service secrets, and other confidential data are leaked in exported JSON files. - Unauthorized actors gaining access to these flow exports can extract plaintext credentials and pivot to attack integrated external infrastructure.
Nguồn	⚠️ https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
Người dùng	Eric-d (UID 96861)
Đệ trình	28/03/2026 14:36 (cách đây 23 ngày)
Kiểm duyệt	19/04/2026 15:47 (22 days later)
Trạng thái	được chấp nhận
Mục VulDB	358232 [langflow-ai langflow đến 1.8.3 Flow Using API core.py remove_api_keys/has_api_terms nâng cao đặc quyền]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Want to know what is going to be exploited?

We predict KEV entries!