CVE-2026-34046

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-34046
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/langflow-ai/langflow/pull/8956 Issue Tracking Patch
https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow-base:*:*:*:*:*:python:*:*
History

11 May 2026, 14:23

Type Values Removed Values Added
CPE cpe:2.3:a:langflow:langflow:1.5.1:dev15:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev35:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev22:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev12:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev24:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev38:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev31:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev21:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev38:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev29:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev39:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev18:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev41:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev36:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev9:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev26:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev27:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev14:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev34:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev14:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev16:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev30:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev17:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev18:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev30:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev37:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev12:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev40:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev28:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev31:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev40:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev16:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev25:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev17:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev39:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev42:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev28:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev20:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev13:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev34:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev36:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev21:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev32:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev9:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev22:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev27:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev23:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev37:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev19:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev20:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev19:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev15:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev24:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev33:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev33:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev25:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev26:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:-:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev23:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev32:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev13:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev29:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev8:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev35:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev8:*:*:*:*:*:*

11 May 2026, 14:04

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
First Time Langflow
Langflow langflow-base
Langflow langflow
CPE cpe:2.3:a:langflow:langflow:1.5.1:dev15:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev35:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev22:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev12:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev24:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev38:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev31:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev4:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev21:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev38:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev1:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev29:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev5:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev39:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev18:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev41:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev36:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev6:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev9:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev26:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev27:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev14:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev34:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev14:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev16:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev30:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev17:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev18:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev30:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev3:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev37:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev12:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev40:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev28:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev31:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev40:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev16:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev11:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev25:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev17:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev39:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev42:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev28:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev20:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow-base:*:*:*:*:*:python:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev13:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev10:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev0:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev34:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev36:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev21:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev32:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev9:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev22:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev27:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev23:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev37:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev19:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev20:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev19:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev15:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev2:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev24:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev33:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev33:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev25:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev26:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:-:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev23:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev32:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev7:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev13:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev29:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev8:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.1:dev35:*:*:*:*:*:*
cpe:2.3:a:langflow:langflow:1.5.0:dev8:*:*:*:*:*:*
References () https://github.com/langflow-ai/langflow/pull/8956 - () https://github.com/langflow-ai/langflow/pull/8956 - Issue Tracking, Patch
References () https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf - () https://github.com/langflow-ai/langflow/security/advisories/GHSA-8c4j-f57c-35cf - Patch, Vendor Advisory

27 Mar 2026, 21:17

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-27 21:17

Updated : 2026-05-11 14:23

NVD link : CVE-2026-34046

Mitre link : CVE-2026-34046

CVE.ORG link : CVE-2026-34046

JSON object : View

Products Affected

langflow

  • langflow
  • langflow-base
CWE
CWE-639

Authorization Bypass Through User-Controlled Key

CWE-862

Missing Authorization