Langflow has an Information Leak through Incomplete API Key Redaction

GHSA-5jjf-wcvf-923w · CVE-2026-6597

Published Apr 20, 2026 · Modified May 5, 2026

Description

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-6597
WEB https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b
PACKAGE https://github.com/langflow-ai/langflow
WEB https://vuldb.com/submit/791920
WEB https://vuldb.com/vuln/358232
WEB https://vuldb.com/vuln/358232/cti

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes