CVE-2026-5022
Langflow - Missing Authorization on download_image Endpoint
The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Produtos afetados
langflow-ai · langflowQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →