CVE-2026-21445 — CRITICAL (CVSS 9.1) AI Security Vulnerability

CISO Take

Any Langflow instance with internet exposure is effectively open to the public — unauthenticated attackers can read all user conversations, transaction histories, and delete messages with standard HTTP requests. Patch to langflow 1.7.1 / langflow-base 0.7.1 immediately, or isolate behind a VPN/firewall with zero public access. Treat all conversation data from affected deployments as potentially exfiltrated.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.7.0.dev44	`1.7.1`
langflow	pip	—	No patch
langflow-base	pip	<= 0.6.9	`0.7.1`

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

0.1%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) Patch: upgrade langflow to >= 1.7.1 and langflow-base to >= 0.7.1. Commit 3fed9fe1b5658f2c8656dbd73508e113a96e486a contains the fix. 2) If immediate patching is not possible: block external access to all Langflow API endpoints at the firewall/WAF layer; restrict to internal network or VPN only. 3) Audit access logs for the vulnerable window — look for unauthenticated HTTP requests to conversation, message, and transaction endpoints. 4) Treat all conversation data from potentially-exposed instances as compromised — notify affected users if PII or sensitive business data was processed. 5) Inventory downstream applications built on langflow-base and validate they are on a patched version.

Classification

Auth Bypass Data Extraction Privacy Violation Framework Agent API AML.T0025 - Exfiltration via Cyber Means AML.T0036 - Data from Information Repositories AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0085 - Data from AI Services AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system access control A.9.2 - Access control for AI systems

NIST AI RMF

GOVERN 1.1 - AI risk management policies and accountability MANAGE 2.2 - Mechanisms to address data risks in AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Exploitation Scenario

An attacker discovers a publicly-accessible Langflow instance via Shodan, Censys, or direct knowledge of a target deployment. Without any credentials, they enumerate conversation API endpoints documented in the Langflow GitHub advisory (GHSA-c5cp-vx83-jhqx), extracting all user IDs and pulling complete conversation histories — including LLM prompts, agent tool invocations, any API keys or credentials mentioned in context, and business-sensitive workflows. If the deployment powers a customer-facing AI assistant, the attacker gains full visibility into all user sessions. As a secondary action, they delete conversation records to destroy forensic evidence. The entire attack chain requires no AI expertise — only basic HTTP tooling and knowledge of the endpoint structure.

Weaknesses (CWE)

CWE-306 Primary CWE-306 Missing Authentication for Critical Function Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published

January 2, 2026

Last Modified

January 16, 2026

First Seen

January 2, 2026