GHSA-qrpv-q767-xqq2: Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Summary
Langflow versions before 1.9.1 had an IDOR vulnerability (insecure direct object reference, where attackers can access resources by guessing or knowing their ID) in the `/api/v1/responses` endpoint that allowed any authenticated user to execute another user's workflow by specifying that user's flow ID, potentially exposing sensitive data and wasting resources. The bug existed because the code queried the database directly using a flow's unique identifier without checking if the requesting user actually owned that flow.
Solution / Mitigation
Update to Langflow 1.9.1 or later. The fix, released on 2026-04-22 in PR #12832, adds ownership verification so that when a flow is accessed by ID, the system checks whether the requesting user owns it. If they don't, the system returns a 404 error (instead of allowing access or revealing that the flow exists). The fix applies to both UUID-based lookups and endpoint name lookups, and includes additional protective layers for related endpoints like `/api/v1/run*` routes.
Vulnerability Details
EPSS: 0.0%
Yes
June 19, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-qrpv-q767-xqq2
First tracked: June 19, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%