AI Threat Alert

CVE-2024-7297: Langflow: mass assignment grants super admin access

HIGH PoC AVAILABLE CISA: ATTEND
Published July 30, 2024
CISO Take

Any authenticated Langflow user can elevate themselves to super admin by injecting role fields into the /api/v1/users API endpoint — no special knowledge required. This gives full control over all flows, stored LLM API keys, and connected AI services. Upgrade to Langflow 1.0.13 immediately and audit existing user roles for unauthorized escalation.

What is the risk?

HIGH. CVSS 8.8 with network-accessible attack vector, low complexity, and no user interaction makes this trivially exploitable. Langflow is commonly deployed in enterprise AI development environments with access to sensitive LLM API keys, data pipelines, and agentic workflows. Super admin compromise translates directly to full platform takeover with no forensic friction — the attacker simply sends a crafted HTTP request.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
21.3%
chance of exploitation in 30 days
Higher than 97% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
EPSS exploit prediction: 21%
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to Langflow 1.0.13 or later immediately — this is the only complete fix.

  2. AUDIT

    Query the database or admin panel for all accounts with super admin or elevated roles; flag any unexpected promotions since deployment.

  3. NETWORK

    If patching is delayed, restrict access to /api/v1/users endpoint via WAF or reverse proxy rule (block PATCH/PUT from non-admin source IPs).

  4. ROTATE

    After patching, rotate all API keys stored in Langflow — LLM providers, vector DBs, and any external integrations.

  5. DETECT

    Enable and monitor Langflow audit logs for unexpected role change events; alert on any privilege escalation activity.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Framework Agent AML.T0012 AML.T0025 AML.T0049 AML.T0053

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.2 - AI system roles and responsibilities
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of AI through risk treatment
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-7297?

Any authenticated Langflow user can elevate themselves to super admin by injecting role fields into the /api/v1/users API endpoint — no special knowledge required. This gives full control over all flows, stored LLM API keys, and connected AI services. Upgrade to Langflow 1.0.13 immediately and audit existing user roles for unauthorized escalation.

Is CVE-2024-7297 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7297, increasing the risk of exploitation.

How to fix CVE-2024-7297?

1. PATCH: Upgrade to Langflow 1.0.13 or later immediately — this is the only complete fix. 2. AUDIT: Query the database or admin panel for all accounts with super admin or elevated roles; flag any unexpected promotions since deployment. 3. NETWORK: If patching is delayed, restrict access to /api/v1/users endpoint via WAF or reverse proxy rule (block PATCH/PUT from non-admin source IPs). 4. ROTATE: After patching, rotate all API keys stored in Langflow — LLM providers, vector DBs, and any external integrations. 5. DETECT: Enable and monitor Langflow audit logs for unexpected role change events; alert on any privilege escalation activity.

What systems are affected by CVE-2024-7297?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, RAG pipelines, AI development environments, multi-agent systems.

What is the CVSS score for CVE-2024-7297?

CVE-2024-7297 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 21.35%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsRAG pipelinesAI development environmentsmulti-agent systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.

Exploitation Scenario

An attacker registers or compromises a standard user account on a Langflow instance. They send a PATCH request to /api/v1/users/{user_id} with a JSON body containing an extra field such as 'is_superuser: true' or 'role: superadmin'. Due to missing mass assignment protection, the API binds all request fields directly to the user model and saves the elevated role. The attacker now has super admin access: they can extract all stored LLM API keys from flow configurations, modify existing production flows to exfiltrate processed data, inject malicious steps into AI pipelines affecting downstream users, or pivot to connected vector databases and external services using harvested credentials.

Weaknesses (CWE)

CWE-913 Improper Control of Dynamically-Managed Code Resources

CWE-913 — Improper Control of Dynamically-Managed Code Resources: The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.

  • [Implementation] For any externally-influenced input, check the input against an allowlist of acceptable values.
  • [Implementation, Architecture and Design] Refactor the code so that it does not need to be dynamically managed.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 30, 2024
Last Modified
June 24, 2025
First Seen
July 30, 2024

Related Vulnerabilities

CRITICAL CVE-2026-10561 10.0

Langflow: auth bypass + unauthenticated RCE (CVSS 10)

Same package: langflow
CRITICAL CVE-2026-55255 9.9

Langflow: IDOR allows cross-user flow execution

Same package: langflow
CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
Back to Threat Feed