Authentication Bypass Vulnerability in Langflow Image Endpoint
CVE-2026-33484

7.5HIGH

Key Information:

Vendor: Langflow-ai
Status: Langflow
Vendor: CVE Published:; 24 March 2026

🔔 Create Langflow-ai Vulnerability Alert

What is CVE-2026-33484?

Langflow, a platform for creating AI-driven agents and workflows, has a security vulnerability in its /api/v1/files/images/{flow_id}/{file_name} endpoint. Versions 1.0.0 to 1.8.1 lack proper authentication and ownership checks, enabling attackers to access images uploaded by other users. By simply knowing a valid flow_id and file_name, an unauthorized user can download sensitive images, posing a significant risk to data privacy in multi-tenant environments. This issue has been addressed in version 1.9.0 with necessary patches to enhance security.

Affected Version(s)

langflow >= 1.0.0, < 1.9.0

References

https://github.com/langflow-ai/langflow/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 20, 2026

CVE-2026-33484 Data

JSON