CVE-2026-33760 Overview
CVE-2026-33760 is a high-severity Insecure Direct Object Reference (IDOR) and Broken Object Level Authorization (BOLA) vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The /api/v1/monitor router exposes seven endpoints that perform read, write, and delete operations on user-owned resources without verifying ownership. Any authenticated user can access another user's messages, sessions, build artifacts, and LLM transaction logs by supplying the target's resource ID or flow_id. The flaw is tracked as [CWE-639] and is fixed in Langflow 1.9.0.
Critical Impact
Authenticated users can read, modify, rename, or permanently delete other users' data across the Langflow monitor API, breaking tenant isolation in multi-user deployments.
Affected Products
- Langflow versions prior to 1.9.0
- Langflow /api/v1/monitor router endpoints
- Multi-tenant deployments exposing the Langflow API
Discovery Timeline
- 2026-06-23 - CVE-2026-33760 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-33760
Vulnerability Analysis
The vulnerability resides in the monitor.py source file of the Langflow API. Seven endpoints in the /api/v1/monitor router accept a resource ID or flow_id directly from the requester. They perform read, update, rename, and delete operations against the referenced objects without confirming the caller owns the resource.
The affected objects include chat messages, session state, build artifacts, and large language model (LLM) transaction logs. An authenticated attacker only needs to enumerate or guess a victim's resource identifier to take action against that data. Because the operations include destructive verbs, the impact extends from confidentiality loss to integrity and availability damage.
Notably, the same monitor.py file contains one correctly-implemented endpoint that enforces an ownership check. This indicates the secure pattern was known to maintainers but applied inconsistently across the router.
Root Cause
The root cause is missing object-level authorization, classified under [CWE-639] Authorization Bypass Through User-Controlled Key. The handlers trust the requester-supplied resource identifier and do not cross-reference it against the authenticated user's identity before executing the database operation.
Attack Vector
An authenticated user sends an HTTP request to one of the seven vulnerable monitor endpoints, substituting another user's resource ID or flow_id in the path or query parameters. The Langflow API processes the request as if the caller were the legitimate owner. Exploitation requires only low-privilege credentials and no user interaction. See the GitHub Security Advisory for technical details on the affected handlers.
Detection Methods for CVE-2026-33760
Indicators of Compromise
- Requests to /api/v1/monitor/* endpoints where the supplied resource ID or flow_id does not belong to the authenticated user account
- Unexpected deletion or modification of messages, sessions, build artifacts, or LLM transaction logs
- High volumes of monitor API requests from a single user account enumerating sequential or random resource identifiers
Detection Strategies
- Correlate authenticated user IDs in API access logs against the owner of each flow_id or resource ID referenced in monitor router requests
- Alert on any monitor endpoint response that returns data tied to a different account than the requester
- Review audit logs for delete and rename operations on resources where the requester is not the recorded owner
Monitoring Recommendations
- Enable verbose API access logging on the Langflow service and forward logs to a centralized SIEM
- Baseline normal per-user activity rates against the /api/v1/monitor endpoints and alert on deviations
- Track failed and successful object access patterns across user boundaries to identify enumeration attempts
How to Mitigate CVE-2026-33760
Immediate Actions Required
- Upgrade Langflow to version 1.9.0 or later, which contains the official fix
- Audit existing monitor data for unauthorized modification or deletion since the vulnerable code was deployed
- Rotate API tokens and review user accounts on multi-tenant Langflow deployments
Patch Information
The vulnerability is fixed in Langflow 1.9.0. The patch applies the same ownership-check pattern already used by one correctly-implemented endpoint in monitor.py to all seven affected handlers. Refer to the Langflow GHSA-9c59-2mvc-vfr8 advisory for the official remediation details.
Workarounds
- Restrict network access to the Langflow API so only trusted single-tenant users can reach the /api/v1/monitor endpoints
- Deploy a reverse proxy or API gateway that enforces per-user authorization checks against resource identifiers before forwarding requests
- Limit Langflow accounts on shared instances until the upgrade to 1.9.0 is completed
# Configuration example: upgrade Langflow to the patched release
pip install --upgrade "langflow>=1.9.0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

