Authentication Bypass Vulnerability in Langflow Image Endpoint
CVE-2026-33484
7.5HIGH
What is CVE-2026-33484?
Langflow, a platform for creating AI-driven agents and workflows, has a security vulnerability in its /api/v1/files/images/{flow_id}/{file_name} endpoint. Versions 1.0.0 to 1.8.1 lack proper authentication and ownership checks, enabling attackers to access images uploaded by other users. By simply knowing a valid flow_id and file_name, an unauthorized user can download sensitive images, posing a significant risk to data privacy in multi-tenant environments. This issue has been addressed in version 1.9.0 with necessary patches to enhance security.
Affected Version(s)
langflow >= 1.0.0, < 1.9.0
References
EPSS Score
5% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
