CVE-2026-34046 Overview
Langflow, a tool for building and deploying AI-powered agents and workflows, contains an Insecure Direct Object Reference (IDOR) vulnerability in its Flow API. Prior to version 1.5.1, the _read_flow helper function in src/backend/base/langflow/api/v1/flows.py failed to properly enforce ownership checks when authentication was enabled. This flaw allows any authenticated user to access, modify, or delete flows belonging to other users, including flows containing sensitive plaintext API keys.
Critical Impact
Authenticated attackers can read any user's flow data including embedded API keys, modify AI agent logic, and delete flows belonging to other users, potentially leading to data breaches, supply chain attacks on AI workflows, and denial of service.
Affected Products
- Langflow versions prior to 1.5.1
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-34046 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-34046
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as an Insecure Direct Object Reference (IDOR). The flaw exists in the flow retrieval logic within Langflow's backend API.
The _read_flow helper function was designed to branch based on the AUTO_LOGIN configuration setting to determine whether to filter database queries by user_id. However, when AUTO_LOGIN was set to False (meaning authentication was enabled), the code path failed to include an ownership verification check. As a result, database queries returned any flow matching the provided UUID regardless of the requesting user's ownership rights.
The vulnerability allows authenticated users to perform unauthorized operations on flows owned by other users. An attacker could leverage this to extract sensitive information such as plaintext API keys embedded in other users' flows, manipulate the logic of AI agents and workflows belonging to other users, or delete critical flows causing service disruption.
Root Cause
The root cause stems from flawed conditional logic intended to accommodate public or example flows (those with user_id = NULL) under auto-login mode. The developers implemented a branching condition based on the AUTO_LOGIN setting, but this inadvertently left the authenticated code path without proper ownership filtering. When authentication was enabled, the query simply matched flows by UUID without verifying that the requesting user owned the resource.
Attack Vector
This vulnerability is exploitable over the network by any authenticated user. The attack requires low privileges (valid user account) and no user interaction. An attacker would simply need to enumerate or guess valid flow UUIDs and make API requests to read, modify, or delete those flows. Since Langflow is used for AI agent and workflow management, compromised flows could contain sensitive API keys for external services, allowing attackers to pivot to additional systems.
The fix implemented in version 1.5.1 removes the AUTO_LOGIN conditional entirely and unconditionally scopes all flow queries to the requesting user's user_id, ensuring proper authorization regardless of the authentication configuration.
Detection Methods for CVE-2026-34046
Indicators of Compromise
- Unusual API access patterns to /api/v1/flows/{flow_id} endpoints with UUIDs not owned by the requesting user
- Audit log entries showing users accessing, modifying, or deleting flows that belong to other accounts
- Unexpected changes to AI workflow configurations or agent logic
- Reports of missing or modified flows from legitimate users
Detection Strategies
- Monitor authentication logs for users making requests to multiple flow UUIDs in rapid succession
- Implement anomaly detection on the Flow API endpoints to identify unauthorized access attempts
- Review database query logs for flow retrievals that do not include user_id filtering
- Enable detailed API request logging to capture flow access patterns per user
Monitoring Recommendations
- Deploy application-layer monitoring on Langflow API endpoints to detect IDOR exploitation attempts
- Establish baseline access patterns for flow operations and alert on deviations
- Implement real-time alerting for bulk flow enumeration activity
- Monitor for extraction of flow data containing API keys or sensitive configurations
How to Mitigate CVE-2026-34046
Immediate Actions Required
- Upgrade Langflow to version 1.5.1 or later immediately
- Audit existing flows for any unauthorized modifications or access
- Rotate any API keys that were embedded in Langflow flows
- Review access logs to identify potential exploitation of this vulnerability
Patch Information
The vulnerability was addressed in Langflow version 1.5.1. The fix removes the AUTO_LOGIN conditional entirely from the _read_flow helper function and unconditionally scopes all flow queries to the requesting user's user_id. Organizations should upgrade to this version as the primary remediation.
For additional details, refer to the GitHub Security Advisory and the GitHub Pull Request containing the fix.
Workarounds
- If immediate upgrade is not possible, consider temporarily disabling external network access to the Langflow instance
- Implement network-level access controls to restrict API access to trusted users only
- Avoid storing sensitive API keys directly in flows; use environment variables or external secret management instead
- Consider enabling additional authentication layers such as VPN or reverse proxy with additional authorization checks
# Upgrade Langflow to patched version
pip install --upgrade langflow>=1.5.1
# Verify installed version
pip show langflow | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
