AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-8c4j-f57c-35cf: Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

highvulnerability

security

Source: GitHub Advisory DatabaseMarch 27, 2026CVE-2026-34046

Summary

Langflow had a vulnerability where the code checking if a user owned a flow was missing when authentication was enabled, allowing any authenticated user to read, modify, or delete flows belonging to other users, including stealing embedded API keys. The fix removes the conditional logic and always checks that the requesting user owns the flow before allowing any operation.

Solution / Mitigation

The fix (PR #8956) removes the AUTO_LOGIN conditional and unconditionally scopes all flow queries to the requesting user by adding `.where(Flow.user_id == user_id)` to the database query. This single change covers all three vulnerable operations (read, update, delete) since they all route through the same `_read_flow` helper. A regression test called `test_read_flows_user_isolation` was added.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 27, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Affected Vendors

LangChain

Affected Packages

langflow-base@<= 0.5.0 (fixed: 0.5.1)langflow@<= 1.5.0 (fixed: 1.5.1)

Related Issues

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendorNVD/CVE Database

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

First tracked: March 28, 2026 at 02:00 AM

Classified by LLM (prompt v3) · confidence: 95%