SB2026060914 - Multiple vulnerabilities in Langflow



SB2026060914 - Multiple vulnerabilities in Langflow

Published: June 9, 2026 Updated: June 12, 2026

Security Bulletin ID SB2026060914
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) HTTP response splitting (CVE-ID: CVE-2026-40175)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not correclty process CRLF character sequences. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


2) Path traversal (CVE-ID: CVE-2026-42867)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to create directories and write files outside the intended directory.

The vulnerability exists due to path traversal in the create_knowledge_base function within the Knowledge Bases API when handling crafted knowledge base names in POST /api/v1/knowledge_bases requests. A remote attacker can send a specially crafted request with traversal sequences or an absolute path to create directories and write files outside the intended directory.

The issue affects filesystem operations for embedding_metadata.json and schema.json written to the attacker-controlled path.


3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33760)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to read, modify, and delete other users' monitor data.

The vulnerability exists due to authorization bypass through user-controlled key in the /api/v1/monitor router when handling requests with user-supplied resource identifiers such as message IDs, session IDs, and flow_id values. A remote user can send crafted requests referencing another user's resource identifiers to read, modify, and delete other users' monitor data.

This affects seven endpoints covering messages, sessions, build artifacts, and LLM transaction logs, and is exposed in multi-user deployments.


Remediation

Install update from vendor's website.