| tiêu đề | Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data |
|---|
| Mô tả | # Technical Details
An insecure data storage vulnerability exists in Langflow. The application fails to encrypt sensitive authentication credentials provided during project creation, storing them in plaintext within the database.
Two architectural flaws contribute to this issue:
1. The project creation endpoint skips the encryption step entirely for the `auth_settings` parameter.
2. The encryption mechanism itself utilizes a hardcoded allowlist (`SENSITIVE_FIELDS = ["oauth_client_secret", "api_key"]`). Any other non-standard sensitive fields (e.g., `db_password`, `secret_token`) bypass encryption universally.
# Vulnerable Code
File: `src/backend/base/langflow/api/v1/projects.py`, `src/backend/base/langflow/services/auth/mcp_encryption.py`
Method: `create_project()` / `encrypt_auth_settings()`
Why: In `projects.py`, newly created Folder objects are committed directly to the database session without invoking any encryption routines on the `auth_settings` dictionary. Additionally, `encrypt_auth_settings` in `mcp_encryption.py` is restricted to two hardcoded field names, ignoring all other customary sensitive keys.
# Reproduction
1. An authenticated user creates a new project using the `POST /api/v1/projects/` endpoint, passing a JSON body such as `{"name":"TestInsecure", "auth_settings":{"db_password":"SECRET123"}}`.
2. The backend commits this data to the database in plaintext.
3. Any user retrieving the project using `GET /api/v1/projects/<id>` receives the exact plain-text response `{"auth_settings": {"db_password": "SECRET123"}}`.
# Impact
- High-severity Information Leak: All credentials stored under unrecognized keys (or via the initial creation endpoint) remain fully exposed.
- Database compromise immediately leaks plaintext API keys and downstream infrastructure passwords to attackers.
|
|---|
| Nguồn | ⚠️ https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213 |
|---|
| Người dùng | Eric-f (UID 96873) |
|---|
| Đệ trình | 28/03/2026 14:43 (cách đây 23 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 15:47 (22 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358233 [langflow-ai langflow đến 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings tiết lộ thông tin] |
|---|
| điểm | 20 |
|---|