AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6597: A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_ter

lowvulnerability

security

Source: NVD/CVE DatabaseApril 19, 2026CVE-2026-6597

Summary

A vulnerability (CVE-2026-6597) was found in langflow-ai langflow version 1.8.3 and earlier, where a function called remove_api_keys/has_api_terms fails to properly protect stored credentials (API keys and authentication information), allowing attackers to access them remotely. The vendor was notified but did not respond, and the exploit details have been publicly released.

Vulnerability Details

CVSS Score

2.7(low)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

high

User Interaction

none

Disclosure Date

April 19, 2026

Classification

Attack Type

PII Leakage

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-255 CWE-256

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6597

First tracked: April 20, 2026 at 08:18 AM

Classified by LLM (prompt v3) · confidence: 85%