langflow (pypi) security advisories

CRITICAL 9.8

PyPI

CVE-2024-37014

Jun 10, 2024

HIGH 8.8

PyPI KEV

CVE-2025-34291

Dec 5, 2025

CRITICAL 9.8

PyPI

CVE-2024-42835

Oct 31, 2024

CRITICAL 9.8

PyPI KEV

CVE-2026-33017

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

Mar 17, 2026

HIGH 7.5

PyPI

CVE-2026-33484

langflow has Unauthenticated IDOR on Image Downloads

Mar 20, 2026

UNKNOWN

PyPI

CVE-2026-33873

Langflow has Authenticated Code Execution in Agentic Assistant Validation

Mar 26, 2026

UNKNOWN

PyPI

CVE-2026-33053

Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

Mar 18, 2026

CRITICAL 9.9

PyPI

CVE-2026-33309

Langflow has an Arbitrary File Write (RCE) via v2 API

Mar 19, 2026

UNKNOWN

PyPI

CVE-2026-33497

langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading

Mar 20, 2026

HIGH 7.1

PyPI

CVE-2025-68478

External Control of File Name or Path in Langflow

Dec 19, 2025

CRITICAL 9.8

PyPI

CVE-2024-42835

langflow has vulnerability in PythonCodeTool component

Oct 31, 2024

HIGH 8.8

PyPI KEV

CVE-2025-34291

Langflow CORS misconfiguration enables Account Takeover and RCE

Dec 6, 2025

CRITICAL 9.9

PyPI

CVE-2026-33873

Mar 27, 2026

HIGH 7.5

PyPI

CVE-2026-33497

Mar 24, 2026

HIGH 7.5

PyPI

CVE-2026-33484

Mar 24, 2026

CRITICAL 9.9

PyPI

CVE-2026-33309

Mar 24, 2026

HIGH 8.8

PyPI

CVE-2026-33053

Mar 20, 2026

HIGH 7.1

PyPI

CVE-2025-68478

Dec 19, 2025

CRITICAL 9.6

PyPI

CVE-2026-42048

Langflow Knowledge Bases API is Vulnerable to Path Traversal

May 5, 2026

MEDIUM 6.3

PyPI

CVE-2026-6599

Langflow vulnerable to injection

Apr 20, 2026

MEDIUM 4.3

PyPI

CVE-2026-6598

Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint

Apr 20, 2026

LOW 2.7

PyPI

CVE-2026-6597

Langflow has an Information Leak through Incomplete API Key Redaction

Apr 20, 2026

UNKNOWN

PyPI KEV

CVE-2025-3248

Langflow Unauth RCE

Jun 17, 2025

UNKNOWN

PyPI

CVE-2026-34046

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Mar 27, 2026

CRITICAL 9.8

PyPI

CVE-2026-27966

Langflow has Remote Code Execution in CSV Agent

Feb 27, 2026

UNKNOWN

PyPI

CVE-2026-0770

Langflow affected by Remote Code Execution via validate_code() exec()

Jan 23, 2026

UNKNOWN

PyPI

CVE-2026-21445

Langflow Missing Authentication on Critical API Endpoints

Jan 2, 2026

HIGH 7.7

PyPI

CVE-2025-68477

Langflow vulnerable to Server-Side Request Forgery

Dec 19, 2025

HIGH 8.8

PyPI

CVE-2025-57760

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)

Aug 25, 2025

CRITICAL 9.8

PyPI KEV

CVE-2025-3248

Apr 7, 2025

CRITICAL 9.8

PyPI

GHSA-c995-4fw3-j39m

Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint

Apr 7, 2025

HIGH 8.8

PyPI

CVE-2024-37014

Langflow remote code execution vulnerability

Jun 10, 2024

CRITICAL 9.8

PyPI

CVE-2024-48061

Langflow vulnerable to remote code execution

Nov 5, 2024

LOW 3.5

PyPI

CVE-2024-9277

Inefficient Regular Expression Complexity in langflow

Sep 27, 2024

langflow

Vulnerabilities

CVE-2024-37014

CVE-2025-34291

CVE-2024-42835

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

langflow has Unauthenticated IDOR on Image Downloads

Langflow has Authenticated Code Execution in Agentic Assistant Validation

Langflow is Missing Ownership Verification in API Key Deletion (IDOR)

Langflow has an Arbitrary File Write (RCE) via v2 API

langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading

External Control of File Name or Path in Langflow

langflow has vulnerability in PythonCodeTool component

Langflow CORS misconfiguration enables Account Takeover and RCE

CVE-2026-33873

CVE-2026-33497

CVE-2026-33484

CVE-2026-33309

CVE-2026-33053

CVE-2025-68478

Langflow Knowledge Bases API is Vulnerable to Path Traversal

Langflow vulnerable to injection

Langflow: Cleartext Storage of Authentication Settings in Project Creation Endpoint

Langflow has an Information Leak through Incomplete API Key Redaction

Langflow Unauth RCE

Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

Langflow has Remote Code Execution in CSV Agent

Langflow affected by Remote Code Execution via validate_code() exec()

Langflow Missing Authentication on Critical API Endpoints

Langflow vulnerable to Server-Side Request Forgery

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation (Post-RCE)

CVE-2025-3248

Duplicate Advisory: Langflow Vulnerable to Code Injection via the `/api/v1/validate/code` endpoint

Langflow remote code execution vulnerability

Langflow vulnerable to remote code execution

Inefficient Regular Expression Complexity in langflow

Start Securing