langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading

## Vulnerability ### Path Traversal in `GET /api/v1/files/profile_pictures/{folder_name}/{file_name}` The `download_profile_picture` function in `src/backend/base/langflow/api/v1/files.py` constructed file paths by directly concatenating the user-supplied `folder_name` and `file_name` path parameters without sanitization or boundary validation. The resulting path was passed to the filesystem without verifying it remained within the intended directory. An unauthenticated attacker could supply

langflow has Unauthenticated IDOR on Image Downloads

### Summary The `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. ### Details `src/backend/base/langflow/api/v1/files.py:138-164` — `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use

Langflow has an Arbitrary File Write (RCE) via v2 API

### Summary While reviewing the recent patch for **CVE-2025-68478** (External Control of File Name in v1.7.1), I discovered that the root architectural issue within `LocalStorageService` remains unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypa

Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

**Detection Method:** Kolega.dev Deep Code Scan | Attribute | Value | |---|---| | Location | src/backend/base/langflow/api/v1/api_key.py:44-53 | | Practical Exploitability | High | | Developer Approver | faizan@kolega.ai | ### Description The delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed `/a

Langflow has Remote Code Execution in CSV Agent

# 1. Summary The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). # 2. Description ## 2.1 Intended Functionality When building a flow such as *ChatInput → CSVAgent → ChatOutput*, users can attach an LLM and specify a CSV file path. The CSV Agent the

Langflow affected by Remote Code Execution via validate_code() exec()

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can le

Langflow Missing Authentication on Critical API Endpoints

### Summary Multiple critical API endpoints in Langflow are missing authentication controls, allowing any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. ### Details The vulnerability exists in three API endpoints within `src/backend/base/langflow/api/v1/monitor.py` that are missing th

External Control of File Name or Path in Langflow

**Vulnerability Overview** If an arbitrary path is specified in the request body's `fs_path`, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. **Vulnerable Code** 1. It receives the request body (flow), updates the DB, and then passes it to the file-writing sink. https://github.com/langflow-ai/langflow/

Langflow vulnerable to Server-Side Request Forgery

**Vulnerability Overview** Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and then sends the request using a server-side httpx client. It does not block private IP ranges (127.0.0.1, the 10/172/192 ranges) or cloud metadata endpoints (169.254.169.254), and it returns the response body as the result. Because the flow execution endpoints (/api/v1/run,

Langflow CORS misconfiguration enables Account Takeover and RCE

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)

This vulnerability was discovered by researchers at **Check Point**. We are sharing this report as part of a responsible disclosure process and are happy to assist in validation and remediation if needed. ### Summary A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command **langflow superuser** to create a new administrative user. This results in full superuser access, even if the user initially registere

PYSEC-2025-36

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Langflow vulnerable to remote code execution

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.

langflow has vulnerability in PythonCodeTool component

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

Inefficient Regular Expression Complexity in langflow

A vulnerability classified as problematic was found in Langflow up to 1.0.18. Affected by this vulnerability is an unknown functionality of the file \src\backend\base\langflow\interface\utils.py of the component HTTP POST Request Handler. The manipulation of the argument remaining_text leads to inefficient regular expression complexity. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PYSEC-2024-177

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.