CVE-2024-7297 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any authenticated Langflow user can elevate themselves to super admin by injecting role fields into the /api/v1/users API endpoint — no special knowledge required. This gives full control over all flows, stored LLM API keys, and connected AI services. Upgrade to Langflow 1.0.13 immediately and audit existing user roles for unauthorized escalation.

Risk Assessment

HIGH. CVSS 8.8 with network-accessible attack vector, low complexity, and no user interaction makes this trivially exploitable. Langflow is commonly deployed in enterprise AI development environments with access to sensitive LLM API keys, data pipelines, and agentic workflows. Super admin compromise translates directly to full platform takeover with no forensic friction — the attacker simply sends a crafted HTTP request.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 49% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to Langflow 1.0.13 or later immediately — this is the only complete fix.
AUDIT

Query the database or admin panel for all accounts with super admin or elevated roles; flag any unexpected promotions since deployment.
NETWORK

If patching is delayed, restrict access to /api/v1/users endpoint via WAF or reverse proxy rule (block PATCH/PUT from non-admin source IPs).
ROTATE

After patching, rotate all API keys stored in Langflow — LLM providers, vector DBs, and any external integrations.
DETECT

Enable and monitor Langflow audit logs for unexpected role change events; alert on any privilege escalation activity.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Code Execution Framework Agent AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - AI system roles and responsibilities

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of AI through risk treatment

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-7297?

Any authenticated Langflow user can elevate themselves to super admin by injecting role fields into the /api/v1/users API endpoint — no special knowledge required. This gives full control over all flows, stored LLM API keys, and connected AI services. Upgrade to Langflow 1.0.13 immediately and audit existing user roles for unauthorized escalation.

Is CVE-2024-7297 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-7297, increasing the risk of exploitation.

How to fix CVE-2024-7297?

1. PATCH: Upgrade to Langflow 1.0.13 or later immediately — this is the only complete fix. 2. AUDIT: Query the database or admin panel for all accounts with super admin or elevated roles; flag any unexpected promotions since deployment. 3. NETWORK: If patching is delayed, restrict access to /api/v1/users endpoint via WAF or reverse proxy rule (block PATCH/PUT from non-admin source IPs). 4. ROTATE: After patching, rotate all API keys stored in Langflow — LLM providers, vector DBs, and any external integrations. 5. DETECT: Enable and monitor Langflow audit logs for unexpected role change events; alert on any privilege escalation activity.

What systems are affected by CVE-2024-7297?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, RAG pipelines, AI development environments, multi-agent systems.

What is the CVSS score for CVE-2024-7297?

CVE-2024-7297 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.26%.

Technical Details

NVD Description

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.

Exploitation Scenario

An attacker registers or compromises a standard user account on a Langflow instance. They send a PATCH request to /api/v1/users/{user_id} with a JSON body containing an extra field such as 'is_superuser: true' or 'role: superadmin'. Due to missing mass assignment protection, the API binds all request fields directly to the user model and saves the elevated role. The attacker now has super admin access: they can extract all stored LLM API keys from flow configurations, modify existing production flows to exfiltrate processed data, inject malicious steps into AI pipelines affecting downstream users, or pivot to connected vector databases and external services using harvested credentials.