CVE-2026-21445 Overview
Langflow, a popular tool for building and deploying AI-powered agents and workflows, contains a critical missing authentication vulnerability in multiple API endpoints. Prior to version 1.7.0.dev45, the application fails to enforce authentication controls on sensitive API endpoints, allowing unauthenticated attackers to access private user conversation data, transaction histories, and perform destructive operations including message deletion.
Critical Impact
Unauthenticated attackers can remotely access sensitive user data, view conversation histories, and delete messages without any authorization, compromising the confidentiality and integrity of AI workflow deployments.
Affected Products
- Langflow versions prior to 1.7.0.dev45
- Langflow API endpoints handling user conversations and transactions
- Langflow deployments with network-exposed API services
Discovery Timeline
- 2026-01-02 - CVE-2026-21445 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21445
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The flaw exists because multiple critical API endpoints in Langflow were implemented without proper authentication middleware. Attackers can exploit this by sending direct HTTP requests to these unprotected endpoints from anywhere on the network, bypassing the intended authentication flow entirely.
The vulnerability affects endpoints responsible for handling personal data and system operations. An unauthenticated attacker can access sensitive user conversation data stored within Langflow workflows, view transaction histories that may contain confidential business logic or AI prompt data, and perform destructive operations such as message deletion that could disrupt ongoing workflows and compromise data integrity.
Root Cause
The root cause of this vulnerability lies in the failure to apply authentication decorators or dependency injection for user verification on critical API routes. The affected endpoints in the log router and chat modules were missing the get_current_active_user dependency that enforces authentication before processing requests. Without this check, the FastAPI framework processes all incoming requests regardless of authentication status.
Attack Vector
This vulnerability is exploitable over the network with no authentication required and no user interaction necessary. An attacker with network access to a Langflow deployment can craft HTTP requests directly to the vulnerable endpoints. The attack requires no special privileges and has low complexity, making it highly accessible to attackers. Successful exploitation results in unauthorized access to confidential conversation data and the ability to manipulate or delete stored messages.
# Security patch in src/backend/base/langflow/api/log_router.py
# Source: https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
from http import HTTPStatus
from typing import Annotated, Any
-from fastapi import APIRouter, HTTPException, Query, Request
+from fastapi import APIRouter, Depends, HTTPException, Query, Request
from fastapi.responses import JSONResponse, StreamingResponse
from lfx.log.logger import log_buffer
+from langflow.services.auth.utils import get_current_active_user
+
log_router = APIRouter(tags=["Log"])
# Security patch in src/backend/base/langflow/api/v1/chat.py
# Source: https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
VerticesOrderResponse,
)
from langflow.exceptions.component import ComponentBuildError
+from langflow.services.auth.utils import get_current_active_user
from langflow.services.chat.service import ChatService
from langflow.services.database.models.flow.model import Flow
from langflow.services.deps import (
Detection Methods for CVE-2026-21445
Indicators of Compromise
- Unusual API requests to Langflow endpoints from unauthenticated sources or unexpected IP addresses
- Access logs showing successful responses (HTTP 200) to sensitive endpoints without corresponding authentication events
- Unexpected deletion of conversation messages or transaction records
- Anomalous patterns of data retrieval from chat and log endpoints
Detection Strategies
- Monitor web server and application logs for requests to /api/v1/chat and log router endpoints that lack authentication tokens or session identifiers
- Implement network-level monitoring to detect reconnaissance activity targeting Langflow API endpoints
- Deploy web application firewalls (WAF) with rules to detect and block unauthenticated access attempts to sensitive API routes
- Review audit logs for bulk data access patterns or deletion operations that occur outside normal user activity windows
Monitoring Recommendations
- Enable detailed access logging on all Langflow API endpoints and centralize logs for analysis
- Configure alerting for failed authentication attempts followed by successful endpoint access, which may indicate exploitation
- Establish baseline patterns for legitimate API usage to identify anomalous unauthenticated access attempts
- Implement real-time monitoring of data deletion events on conversation and transaction endpoints
How to Mitigate CVE-2026-21445
Immediate Actions Required
- Upgrade Langflow to version 1.7.0.dev45 or later immediately to apply the security patch
- If immediate upgrade is not possible, restrict network access to Langflow deployments using firewall rules or network segmentation
- Review access logs for signs of prior exploitation and investigate any suspicious unauthenticated access to sensitive endpoints
- Audit all conversation and transaction data for unauthorized access or unexpected deletions
Patch Information
The vulnerability has been addressed in Langflow version 1.7.0.dev45. The fix adds the get_current_active_user authentication dependency to the affected API endpoints, ensuring that all requests are properly authenticated before processing. The security patch is available via the GitHub Commit Update. Additional details can be found in the GitHub Security Advisory.
Workarounds
- Place Langflow deployments behind a reverse proxy that enforces authentication at the network layer before requests reach the application
- Implement IP allowlisting to restrict API access to trusted networks only
- Deploy a web application firewall (WAF) to block unauthenticated requests to sensitive endpoints
- Disable or remove network exposure for Langflow instances that do not require external access until patching is complete
# Example: Restrict Langflow API access using iptables
# Allow only trusted network to access Langflow API port
iptables -A INPUT -p tcp --dport 7860 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
