{"data":{"id":"ca508225-246e-49f0-8f73-3d4331b696df","title":"GHSA-7grx-3xcx-2xv5: langflow has Unauthenticated IDOR on Image Downloads","summary":"Langflow has a vulnerability where the image download endpoint (`/api/v1/files/images/{flow_id}/{file_name}`) allows anyone to download images without logging in or proving they own the image (an IDOR, or insecure direct object reference, where attackers access resources by manipulating identifiers). An attacker who knows a flow ID and filename can retrieve private images from any user, potentially exposing sensitive data in multi-tenant setups (systems serving multiple separate customers).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-7grx-3xcx-2xv5","publishedAt":"2026-03-20T20:47:10.000Z","cveId":"CVE-2026-33484","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":["other"],"issueType":"vulnerability","affectedPackages":["langflow@>= 1.0.0, <= 1.8.1"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-20T20:47:10.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}