CVE-2026-33053 — HIGH (CVSS 8.8) AI Security Vulnerability

Q: Is CVE-2026-33053 actively exploited?

No confirmed active exploitation of CVE-2026-33053 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33053?

1. PATCH: Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix. 2. DETECT: Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts. 3. WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential. 4. ROTATE: After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch. 5. MONITOR: Enable alerting on API key deletion events across all Langflow instances.

Q: What systems are affected by CVE-2026-33053?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow builders, multi-tenant AI development platforms.

Q: What is the CVSS score for CVE-2026-33053?

CVE-2026-33053 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.03%.

CISO Take

Any authenticated Langflow user can delete API keys belonging to other users due to a missing ownership check in the delete endpoint — a textbook IDOR. If your organization runs Langflow (on-prem or multi-tenant), treat all API keys as potentially compromised and upgrade to 1.9.0 immediately. This is a low-effort attack requiring only a valid account, making it a realistic insider or compromised-account threat.

Risk Assessment

HIGH risk. CVSS 8.8 with network-accessible, low-complexity, low-privilege exploitation. The combination of no user interaction required and high impact across confidentiality, integrity, and availability makes this immediately actionable. Multi-tenant Langflow deployments face the highest exposure — any authenticated user becomes a potential disruptor of all other users' API key infrastructure. Single-tenant internal deployments are lower risk but still exposed to insider threat scenarios.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →
langflow	pip	< 1.7.2	`1.7.2`
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix.
DETECT

Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts.
WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential.
ROTATE

After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch.
MONITOR

Enable alerting on API key deletion events across all Langflow instances.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution DoS Framework Agent API AML.T0012 - Valid Accounts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Access control for AI systems A.9.4 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies for third-party AI components MANAGE 2.2 - Risk response and treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33053?

Any authenticated Langflow user can delete API keys belonging to other users due to a missing ownership check in the delete endpoint — a textbook IDOR. If your organization runs Langflow (on-prem or multi-tenant), treat all API keys as potentially compromised and upgrade to 1.9.0 immediately. This is a low-effort attack requiring only a valid account, making it a realistic insider or compromised-account threat.

Is CVE-2026-33053 actively exploited?

No confirmed active exploitation of CVE-2026-33053 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33053?

1. PATCH: Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix. 2. DETECT: Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts. 3. WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential. 4. ROTATE: After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch. 5. MONITOR: Enable alerting on API key deletion events across all Langflow instances.

What systems are affected by CVE-2026-33053?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow builders, multi-tenant AI development platforms.

What is the CVSS score for CVE-2026-33053?

CVE-2026-33053 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Exploitation Scenario

An attacker registers or compromises any low-privilege account in a multi-tenant Langflow deployment. They enumerate API key IDs by making sequential or pattern-based requests to the delete endpoint (e.g., DELETE /api/v1/api_keys/1, /2, /3...). Because the backend performs no ownership verification, the server deletes keys belonging to admins and other users without error. The attacker can systematically revoke all API keys in the system, causing immediate outages across all AI workflows, agent pipelines, and LLM integrations — effectively a targeted DoS on the organization's entire AI infrastructure. A more targeted variant would selectively delete only admin API keys while preserving their own access.