CVE-2026-5022
Langflow - Missing Authorization on download_image Endpoint
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Productos afectados
langflow-ai · langflow¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →