{"data":{"id":"c7f9dfea-f348-4bd1-83d5-34646e736817","title":"GHSA-qwqc-p3q8-wcg9: Langflow: Unauthenticated DoS through multipart form boundary file upload","summary":"An attacker can crash Langflow (an AI application framework) by sending a specially crafted file upload request with an extremely long multipart form boundary (a delimiter used in form data) without needing to log in, making the server unusable for all users indefinitely. The vulnerability exists because the server tries to process the malformed data before checking if the user is authenticated.","solution":"Upgrade to version 1.0.19 or later. The fix adds a `check_boundary` HTTP middleware that validates the multipart boundary using the pattern `^[\\w\\-]{1,70}$` and rejects malformed requests with HTTP 422 before the body is parsed. The upload endpoint also now requires authentication checks (`get_current_active_user`) and returns HTTP 403 if the user doesn't own the flow.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-qwqc-p3q8-wcg9","publishedAt":"2026-06-19T21:17:37.000Z","cveId":"CVE-2026-55446","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["langflow@< 1.0.19 (fixed: 1.0.19)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-19T21:17:37.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}