提交 #791921: Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data信息

标题	Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data
描述	# Technical Details An insecure data storage vulnerability exists in Langflow. The application fails to encrypt sensitive authentication credentials provided during project creation, storing them in plaintext within the database. Two architectural flaws contribute to this issue: 1. The project creation endpoint skips the encryption step entirely for the `auth_settings` parameter. 2. The encryption mechanism itself utilizes a hardcoded allowlist (`SENSITIVE_FIELDS = ["oauth_client_secret", "api_key"]`). Any other non-standard sensitive fields (e.g., `db_password`, `secret_token`) bypass encryption universally. # Vulnerable Code File: `src/backend/base/langflow/api/v1/projects.py`, `src/backend/base/langflow/services/auth/mcp_encryption.py` Method: `create_project()` / `encrypt_auth_settings()` Why: In `projects.py`, newly created Folder objects are committed directly to the database session without invoking any encryption routines on the `auth_settings` dictionary. Additionally, `encrypt_auth_settings` in `mcp_encryption.py` is restricted to two hardcoded field names, ignoring all other customary sensitive keys. # Reproduction 1. An authenticated user creates a new project using the `POST /api/v1/projects/` endpoint, passing a JSON body such as `{"name":"TestInsecure", "auth_settings":{"db_password":"SECRET123"}}`. 2. The backend commits this data to the database in plaintext. 3. Any user retrieving the project using `GET /api/v1/projects/<id>` receives the exact plain-text response `{"auth_settings": {"db_password": "SECRET123"}}`. # Impact - High-severity Information Leak: All credentials stored under unrecognized keys (or via the initial creation endpoint) remain fully exposed. - Database compromise immediately leaks plaintext API keys and downstream infrastructure passwords to attackers.
来源	⚠️ https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213
用户	Eric-f (UID 96873)
提交	2026-03-28 14時43分 (23 日前)
管理	2026-04-19 15時47分 (22 days later)
状态	已接受
VulDB条目	358233 [langflow-ai langflow 直到 1.8.3 Project Creation Endpoint projects.py create_project/encrypt_auth_settings 信息公开]
积分	20

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!