Authentication Bypass in Langflow Tool Affecting User API Key Management
CVE-2026-33053

6.1MEDIUM

Key Information:

Vendor: Langflow-ai
Status: Langflow
Vendor: CVE Published:; 20 March 2026

🔔 Create Langflow-ai Vulnerability Alert

What is CVE-2026-33053?

Langflow, a tool designed for creating AI-powered agents and workflows, has a significant flaw in its API key management system. In versions earlier than 1.9.0, the delete_api_key_route() endpoint allows the deletion of API keys based on a simple authentication check through the get_current_active_user dependency. However, it lacks proper verification to ensure that the API key being deleted truly belongs to the authenticated user. As a result, this vulnerability can potentially lead to unauthorized API key deletions, exposing user data and compromising system integrity.

Affected Version(s)

langflow < 1.9.0

References

https://github.com/langflow-ai/langflow/security/advisori...

x_refsource_CONFIRM

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33053 Data

JSON