CVE-2026-21445 — CRITICAL (CVSS 9.1) AI Security Vulnerability

CISO Take

Any Langflow instance with internet exposure is effectively open to the public — unauthenticated attackers can read all user conversations, transaction histories, and delete messages with standard HTTP requests. Patch to langflow 1.7.1 / langflow-base 0.7.1 immediately, or isolate behind a VPN/firewall with zero public access. Treat all conversation data from affected deployments as potentially exfiltrated.

Risk Assessment

Critical risk for any organization running Langflow with external access. CVSS 9.1 with no authentication, no user interaction, and low complexity means exploitation requires no specialized skill. While EPSS (0.00072) is low, that reflects detection lag for newer CVEs — not actual risk. AI workflow data is high-value: conversations routinely contain business logic, internal data, and credentials passed as context. The attack surface is wide given Langflow's growth as a popular LLM orchestration platform.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow	pip	<= 1.7.0.dev44	`1.7.1`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →
langflow-base	pip	<= 0.6.9	`0.7.1`
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

11.0%

chance of exploitation in 30 days

Higher than 93% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 11%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A None

Recommended Action

1 step

1) Patch: upgrade langflow to >= 1.7.1 and langflow-base to >= 0.7.1. Commit 3fed9fe1b5658f2c8656dbd73508e113a96e486a contains the fix. 2) If immediate patching is not possible: block external access to all Langflow API endpoints at the firewall/WAF layer; restrict to internal network or VPN only. 3) Audit access logs for the vulnerable window — look for unauthenticated HTTP requests to conversation, message, and transaction endpoints. 4) Treat all conversation data from potentially-exposed instances as compromised — notify affected users if PII or sensitive business data was processed. 5) Inventory downstream applications built on langflow-base and validate they are on a patched version.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Privacy Violation Framework Agent API AML.T0025 - Exfiltration via Cyber Means AML.T0036 - Data from Information Repositories AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0085 - Data from AI Services AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system access control A.9.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.1 - AI risk management policies and accountability MANAGE 2.2 - Mechanisms to address data risks in AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-21445?

Any Langflow instance with internet exposure is effectively open to the public — unauthenticated attackers can read all user conversations, transaction histories, and delete messages with standard HTTP requests. Patch to langflow 1.7.1 / langflow-base 0.7.1 immediately, or isolate behind a VPN/firewall with zero public access. Treat all conversation data from affected deployments as potentially exfiltrated.

Is CVE-2026-21445 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-21445, increasing the risk of exploitation.

How to fix CVE-2026-21445?

1) Patch: upgrade langflow to >= 1.7.1 and langflow-base to >= 0.7.1. Commit 3fed9fe1b5658f2c8656dbd73508e113a96e486a contains the fix. 2) If immediate patching is not possible: block external access to all Langflow API endpoints at the firewall/WAF layer; restrict to internal network or VPN only. 3) Audit access logs for the vulnerable window — look for unauthenticated HTTP requests to conversation, message, and transaction endpoints. 4) Treat all conversation data from potentially-exposed instances as compromised — notify affected users if PII or sensitive business data was processed. 5) Inventory downstream applications built on langflow-base and validate they are on a patched version.

What systems are affected by CVE-2026-21445?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, API, RAG pipelines.

What is the CVSS score for CVE-2026-21445?

CVE-2026-21445 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 11.04%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Exploitation Scenario

An attacker discovers a publicly-accessible Langflow instance via Shodan, Censys, or direct knowledge of a target deployment. Without any credentials, they enumerate conversation API endpoints documented in the Langflow GitHub advisory (GHSA-c5cp-vx83-jhqx), extracting all user IDs and pulling complete conversation histories — including LLM prompts, agent tool invocations, any API keys or credentials mentioned in context, and business-sensitive workflows. If the deployment powers a customer-facing AI assistant, the attacker gains full visibility into all user sessions. As a secondary action, they delete conversation records to destroy forensic evidence. The entire attack chain requires no AI expertise — only basic HTTP tooling and knowledge of the endpoint structure.