{"data":{"id":"0283ba9f-be31-458e-8bed-c595346e9d7a","title":"GHSA-7hw8-6q6r-4276: Langflow: Logout button does not clear session","summary":"Langflow's logout button fails to properly clear user sessions, leaving authentication tokens (access_token_lf and refresh_token_lf) in the browser's storage, so the previous user remains logged in until someone else logs in explicitly. This happens because the logout endpoint doesn't delete cookies with the same security settings they were created with, and the frontend doesn't clear stored tokens either. On shared computers, users may incorrectly think they've logged out when they haven't.","solution":"Upgrade to Langflow version 1.7.0 or later. The fix (PRs #10527 and #10528) ensures the logout endpoint deletes authentication cookies using the same parameters (httponly, samesite, secure, domain) they were created with, and the frontend now clears auth cookies on logout.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7hw8-6q6r-4276","publishedAt":"2026-06-19T21:17:01.000Z","cveId":"CVE-2026-55423","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":[],"issueType":"vulnerability","affectedPackages":["langflow@< 1.7.0 (fixed: 1.7.1)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-19T21:17:01.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}