GHSA-7hw8-6q6r-4276: Langflow: Logout button does not clear session
Summary
Langflow's logout button fails to properly clear user sessions, leaving authentication tokens (access_token_lf and refresh_token_lf) in the browser's storage, so the previous user remains logged in until someone else logs in explicitly. This happens because the logout endpoint doesn't delete cookies with the same security settings they were created with, and the frontend doesn't clear stored tokens either. On shared computers, users may incorrectly think they've logged out when they haven't.
Solution / Mitigation
Upgrade to Langflow version 1.7.0 or later. The fix (PRs #10527 and #10528) ensures the logout endpoint deletes authentication cookies using the same parameters (httponly, samesite, secure, domain) they were created with, and the frontend now clears auth cookies on logout.
Vulnerability Details
EPSS: 0.0%
Yes
June 19, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-7hw8-6q6r-4276
First tracked: June 19, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 92%