Authorization bypass through user-controlled key in Langflow - CVE-2026-33760
Published: June 12, 2026
Vulnerability identifier: #VU134433
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-33760
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Langflow
Affected software:
Langflow
Langflow
Detailed vulnerability description
The vulnerability allows a remote user to read, modify, and delete other users' monitor data.
The vulnerability exists due to authorization bypass through user-controlled key in the /api/v1/monitor router when handling requests with user-supplied resource identifiers such as message IDs, session IDs, and flow_id values. A remote user can send crafted requests referencing another user's resource identifiers to read, modify, and delete other users' monitor data.
This affects seven endpoints covering messages, sessions, build artifacts, and LLM transaction logs, and is exposed in multi-user deployments.
How to mitigate CVE-2026-33760
Install security update from vendor's website.