SB20260424126 - Multiple vulnerabilities in Langflow
Published: April 24, 2026 Updated: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68477)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information from internal network resources.
The vulnerability exists due to server-side request forgery (SSRF) in the API Request component when processing a user-supplied URL during flow execution. A remote user can send a specially crafted flow execution request with an arbitrary URL to disclose sensitive information from internal network resources.
The response body from the server-side request is returned to the client, making the issue non-blind. Exploitation can occur through the /api/v1/run and /api/v1/run/advanced endpoints using an API key.
2) External Control of File Name or Path (CVE-ID: CVE-2025-68478)
CWE-ID: CWE-73 - External Control of File Name or Path
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite files on the server.
The vulnerability exists due to external control of file name or path in the flow creation endpoint and filesystem save logic when handling a request containing a user-supplied fs_path value. A remote user can send a specially crafted request to overwrite files on the server.
The written content is limited to serialized Flow JSON, and both absolute and relative paths are accepted.
3) Path traversal (CVE-ID: CVE-2026-33497)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to path traversal in the GET /api/v1/files/profile_pictures/{folder_name}/{file_name} endpoint when handling user-supplied path parameters. A remote attacker can supply crafted traversal sequences to disclose sensitive information.
Exposed files may include the application's secret_key used to sign JWT tokens.
4) Insufficient Session Expiration (CVE-ID: CVE-2026-55423)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows an attacker with physical access to gain unauthorized access to a previous user's session.
The vulnerability exists due to insufficient session expiration in the logout endpoint and frontend logout functionality when processing logout requests. An attacker with physical access can use a shared system after logout and refresh the application to gain unauthorized access to a previous user's session.
The issue occurs when auto login mode is disabled and the application is hosted on localhost. Authentication tokens remain present in local storage and cookies after logout.
Remediation
Install update from vendor's website.
References
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-5993-7p27-66g5
- https://github.com/advisories/GHSA-5993-7p27-66g5
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4
- https://github.com/advisories/GHSA-f43r-cc68-gpx4
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276