CVE-2026-34046

EPSS 0.03%

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Published: 3/27/2026Modified: 3/27/2026

Description

## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - **Read** any other user's flow, including embedded plaintext API keys - **Modify** the logic of another user's AI agents - **Delete** flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) | (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - **[@chximn-dt](https://github.com/chximn-dt)**

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (4)