Vulnerabilities in langflow-ai
27 resultsCVE-2025-3248CRITICALLangflow < 1.3.0 Unauthenticated RCE via /api/v1/validate/codeEPSS 100.0%KEVCVE-2026-33017CRITICALLangflow has Unauthenticated Remote Code Execution via Public Flow Build EndpointEPSS 98.4%KEVCVE-2026-27966CRITICALLangflow has Remote Code Execution in CSV AgentEPSS 33.7%CVE-2026-21445HIGHLangflow Missing Authentication on Critical API EndpointsEPSS 20.7%CVE-2026-33497HIGHLangflow: /profile_pictures/{folder_name}/{file_name} endpoint file readingEPSS 8.0%CVE-2026-33484HIGHLangflow has Unauthenticated IDOR on Image DownloadsEPSS 5.8%CVE-2025-68477HIGHLangflow vulnerable to Server-Side Request ForgeryEPSS 5.8%CVE-2026-42048CRITICALLangflow: Path Traversal in Langflow Knowledge Bases APIEPSS 4.4%CVE-2025-68478HIGHLangflow Vulnerable to External Control of File Name or PathEPSS 3.3%CVE-2026-33475CRITICALLangflow GitHub Actions Shell InjectionEPSS 3.0%CVE-2026-5027HIGHLangflow - Path Traversal Arbitrary File Write via upload_user_fileEPSS 2.1%CVE-2026-7687MEDIUMlangflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injectionEPSS 1.7%CVE-2026-33873CRITICALLangflow has Authenticated Code Execution in Agentic Assistant ValidationEPSS 1.4%CVE-2026-33309CRITICALLangflow has an Arbitrary File Write (RCE) via v2 APIEPSS 1.4%CVE-2025-57760HIGHLangflow Vulnerable to Privilege Escalation via CLI Superuser CreationEPSS 0.4%CVE-2026-34046HIGHLangflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership CheckEPSS 0.4%CVE-2026-33053MEDIUMLangflow has Missing Ownership Verification in API Key Deletion (IDOR)EPSS 0.4%CVE-2026-6597MEDIUMlangflow-ai langflow Flow Using API core.py has_api_terms credentials storageEPSS 0.3%CVE-2026-7700MEDIUMlangflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injectionEPSS 0.3%CVE-2026-6596MEDIUMlangflow-ai langflow API Endpoint endpoints.py create_upload_file unrestricted uploadEPSS 0.3%