Main Vulnerability Database Vulnerabilities #VU134970

Insufficient Session Expiration in Langflow - CVE-2026-55423

Published: June 19, 2026

Vulnerability identifier: #VU134970

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-55423

CWE-ID: CWE-613

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Langflow

Affected software:
Langflow

Detailed vulnerability description

The vulnerability allows an attacker with physical access to gain unauthorized access to a previous user's session.

The vulnerability exists due to insufficient session expiration in the logout endpoint and frontend logout functionality when processing logout requests. An attacker with physical access can use a shared system after logout and refresh the application to gain unauthorized access to a previous user's session.

The issue occurs when auto login mode is disabled and the application is hosted on localhost. Authentication tokens remain present in local storage and cookies after logout.

How to mitigate CVE-2026-55423

Install security update from vendor's website.

Sources

https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276

Insufficient Session Expiration in Langflow - CVE-2026-55423

Detailed vulnerability description

How to mitigate CVE-2026-55423

Sources

Please verify you're human