GHSA-qwqc-p3q8-wcg9: Langflow: Unauthenticated DoS through multipart form boundary file upload
Summary
An attacker can crash Langflow (an AI application framework) by sending a specially crafted file upload request with an extremely long multipart form boundary (a delimiter used in form data) without needing to log in, making the server unusable for all users indefinitely. The vulnerability exists because the server tries to process the malformed data before checking if the user is authenticated.
Solution / Mitigation
Upgrade to version 1.0.19 or later. The fix adds a `check_boundary` HTTP middleware that validates the multipart boundary using the pattern `^[\w\-]{1,70}$` and rejects malformed requests with HTTP 422 before the body is parsed. The upload endpoint also now requires authentication checks (`get_current_active_user`) and returns HTTP 403 if the user doesn't own the flow.
Vulnerability Details
EPSS: 0.0%
Yes
June 19, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://github.com/advisories/GHSA-qwqc-p3q8-wcg9
First tracked: June 19, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%