CVE-2026-21445: Langflow Missing Auth

CISO Take

Any Langflow instance with internet exposure is effectively open to the public — unauthenticated attackers can read all user conversations, transaction histories, and delete messages with standard HTTP requests. Patch to langflow 1.7.1 / langflow-base 0.7.1 immediately, or isolate behind a VPN/firewall with zero public access. Treat all conversation data from affected deployments as potentially exfiltrated.

What is the risk?

Critical risk for any organization running Langflow with external access. CVSS 9.1 with no authentication, no user interaction, and low complexity means exploitation requires no specialized skill. While EPSS (0.00072) is low, that reflects detection lag for newer CVEs — not actual risk. AI workflow data is high-value: conversations routinely contain business logic, internal data, and credentials passed as context. The attack surface is wide given Langflow's growth as a popular LLM orchestration platform.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 1.7.0.dev44	`1.7.1`
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 0.6.9	`0.7.1`
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

9.1 / 10

EPSS

21.3%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

✓ VulnCheck KEV (exploitation reported — broader/earlier than CISA) — Apr 2026

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 21%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

What should I do?

1 step

1) Patch: upgrade langflow to >= 1.7.1 and langflow-base to >= 0.7.1. Commit 3fed9fe1b5658f2c8656dbd73508e113a96e486a contains the fix. 2) If immediate patching is not possible: block external access to all Langflow API endpoints at the firewall/WAF layer; restrict to internal network or VPN only. 3) Audit access logs for the vulnerable window — look for unauthenticated HTTP requests to conversation, message, and transaction endpoints. 4) Treat all conversation data from potentially-exposed instances as compromised — notify affected users if PII or sensitive business data was processed. 5) Inventory downstream applications built on langflow-base and validate they are on a patched version.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Framework Agent API AML.T0025 - Exfiltration via Cyber Means AML.T0036 - Data from Information Repositories AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0085 - Data from AI Services AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system access control A.9.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.1 - AI risk management policies and accountability MANAGE 2.2 - Mechanisms to address data risks in AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-21445?

Any Langflow instance with internet exposure is effectively open to the public — unauthenticated attackers can read all user conversations, transaction histories, and delete messages with standard HTTP requests. Patch to langflow 1.7.1 / langflow-base 0.7.1 immediately, or isolate behind a VPN/firewall with zero public access. Treat all conversation data from affected deployments as potentially exfiltrated.

Is CVE-2026-21445 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-21445, increasing the risk of exploitation.

How to fix CVE-2026-21445?

1) Patch: upgrade langflow to >= 1.7.1 and langflow-base to >= 0.7.1. Commit 3fed9fe1b5658f2c8656dbd73508e113a96e486a contains the fix. 2) If immediate patching is not possible: block external access to all Langflow API endpoints at the firewall/WAF layer; restrict to internal network or VPN only. 3) Audit access logs for the vulnerable window — look for unauthenticated HTTP requests to conversation, message, and transaction endpoints. 4) Treat all conversation data from potentially-exposed instances as compromised — notify affected users if PII or sensitive business data was processed. 5) Inventory downstream applications built on langflow-base and validate they are on a patched version.

What systems are affected by CVE-2026-21445?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, API, RAG pipelines.

What is the CVSS score for CVE-2026-21445?

CVE-2026-21445 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 21.26%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsAPIRAG pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0036 Data from Information Repositories

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0057 LLM Data Leakage

AML.T0085 Data from AI Services

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15, Article 15

ISO 42001: A.6.2, A.9.2

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM02, LLM06

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Exploitation Scenario

An attacker discovers a publicly-accessible Langflow instance via Shodan, Censys, or direct knowledge of a target deployment. Without any credentials, they enumerate conversation API endpoints documented in the Langflow GitHub advisory (GHSA-c5cp-vx83-jhqx), extracting all user IDs and pulling complete conversation histories — including LLM prompts, agent tool invocations, any API keys or credentials mentioned in context, and business-sensitive workflows. If the deployment powers a customer-facing AI assistant, the attacker gains full visibility into all user sessions. As a secondary action, they delete conversation records to destroy forensic evidence. The entire attack chain requires no AI expertise — only basic HTTP tooling and knowledge of the endpoint structure.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-306 Missing Authentication for Critical Function Primary

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.