SB20260424126 - Multiple vulnerabilities in Langflow



SB20260424126 - Multiple vulnerabilities in Langflow

Published: April 24, 2026 Updated: June 19, 2026

Security Bulletin ID SB20260424126
CSH Severity
High
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2025-68477)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information from internal network resources.

The vulnerability exists due to server-side request forgery (SSRF) in the API Request component when processing a user-supplied URL during flow execution. A remote user can send a specially crafted flow execution request with an arbitrary URL to disclose sensitive information from internal network resources.

The response body from the server-side request is returned to the client, making the issue non-blind. Exploitation can occur through the /api/v1/run and /api/v1/run/advanced endpoints using an API key.


2) External Control of File Name or Path (CVE-ID: CVE-2025-68478)

CWE-ID: CWE-73 - External Control of File Name or Path

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to overwrite files on the server.

The vulnerability exists due to external control of file name or path in the flow creation endpoint and filesystem save logic when handling a request containing a user-supplied fs_path value. A remote user can send a specially crafted request to overwrite files on the server.

The written content is limited to serialized Flow JSON, and both absolute and relative paths are accepted.


3) Path traversal (CVE-ID: CVE-2026-33497)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in the GET /api/v1/files/profile_pictures/{folder_name}/{file_name} endpoint when handling user-supplied path parameters. A remote attacker can supply crafted traversal sequences to disclose sensitive information.

Exposed files may include the application's secret_key used to sign JWT tokens.


4) Insufficient Session Expiration (CVE-ID: CVE-2026-55423)

CWE-ID: CWE-613 - Insufficient Session Expiration

CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows an attacker with physical access to gain unauthorized access to a previous user's session.

The vulnerability exists due to insufficient session expiration in the logout endpoint and frontend logout functionality when processing logout requests. An attacker with physical access can use a shared system after logout and refresh the application to gain unauthorized access to a previous user's session.

The issue occurs when auto login mode is disabled and the application is hosted on localhost. Authentication tokens remain present in local storage and cookies after logout.


Remediation

Install update from vendor's website.