提交 #791920: Langflow <= 1.8.3 Information Disclosure信息

标题	Langflow <= 1.8.3 Information Disclosure
描述	# Technical Details An Information Disclosure vulnerability exists in Langflow. The application fails to properly redact sensitive credentials when exporting flow JSON files due to flawed logic in the `remove_api_keys` utility. The application only strips values if the field is marked as `password=True` AND its name strictly contains "api" AND ("key" or "token"). If a sensitive field is just named `password`, `secret_value`, or `db_password`, the redaction logic is completely bypassed, leaking the plain-text secret. # Vulnerable Code File: `src/backend/base/langflow/api/utils/core.py` Method: `remove_api_keys()` and helper `has_api_terms()` Why: Custom or generic sensitive fields (like database passwords or unrelated secrets) that do not match the restrictive `has_api_terms` naming heuristic are ignored by the redactor, even if they are explicitly flagged with `password=True` in the schema. # Reproduction 1. An attacker (or regular user) creates a flow containing a sensitive field (e.g. named "password") with `password=True`. 2. The user stores a highly sensitive string such as "SUPER_SECRET_VALUE" in this field. 3. The user downloads the flow using the API (`POST /api/v1/flows/download/`). 4. The downloaded JSON file reveals the raw plain-text secret "SUPER_SECRET_VALUE", as the `remove_api_keys` function wrongly decided to leave it intact. # Impact - Exposure of Sensitive Information: Database credentials, third-party service secrets, and other confidential data are leaked in exported JSON files. - Unauthorized actors gaining access to these flow exports can extract plaintext credentials and pivot to attack integrated external infrastructure.
来源	⚠️ https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
用户	Eric-d (UID 96861)
提交	2026-03-28 14時36分 (23 日前)
管理	2026-04-19 15時47分 (22 days later)
状态	已接受
VulDB条目	358232 [langflow-ai langflow 直到 1.8.3 Flow Using API core.py remove_api_keys/has_api_terms 权限提升]
积分	20

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!