AI Threat Alert

CVE-2026-33053: langflow: IDOR enables unauthorized data access

GHSA-rf6x-r45m-xv3w HIGH
Published March 20, 2026
CISO Take

Any authenticated Langflow user can delete API keys belonging to other users due to a missing ownership check in the delete endpoint — a textbook IDOR. If your organization runs Langflow (on-prem or multi-tenant), treat all API keys as potentially compromised and upgrade to 1.9.0 immediately. This is a low-effort attack requiring only a valid account, making it a realistic insider or compromised-account threat.

What is the risk?

HIGH risk. CVSS 8.8 with network-accessible, low-complexity, low-privilege exploitation. The combination of no user interaction required and high impact across confidentiality, integrity, and availability makes this immediately actionable. Multi-tenant Langflow deployments face the highest exposure — any authenticated user becomes a potential disruptor of all other users' API key infrastructure. Single-tenant internal deployments are lower risk but still exposed to insider threat scenarios.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow pip < 1.9.0 1.9.0
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix.

  2. DETECT

    Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts.

  3. WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential.

  4. ROTATE

    After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch.

  5. MONITOR

    Enable alerting on API key deletion events across all Langflow instances.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution DoS Framework Agent API AML.T0012 AML.T0029 AML.T0049 AML.T0055 AML.T0101

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - Access control for AI systems A.9.4 - AI system security
NIST AI RMF
GOVERN 6.1 - Policies for third-party AI components MANAGE 2.2 - Risk response and treatment
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-33053?

Any authenticated Langflow user can delete API keys belonging to other users due to a missing ownership check in the delete endpoint — a textbook IDOR. If your organization runs Langflow (on-prem or multi-tenant), treat all API keys as potentially compromised and upgrade to 1.9.0 immediately. This is a low-effort attack requiring only a valid account, making it a realistic insider or compromised-account threat.

Is CVE-2026-33053 actively exploited?

No confirmed active exploitation of CVE-2026-33053 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33053?

1. PATCH: Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix. 2. DETECT: Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts. 3. WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential. 4. ROTATE: After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch. 5. MONITOR: Enable alerting on API key deletion events across all Langflow instances.

What systems are affected by CVE-2026-33053?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM orchestration platforms, AI workflow builders, multi-tenant AI development platforms.

What is the CVSS score for CVE-2026-33053?

CVE-2026-33053 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM orchestration platformsAI workflow buildersmulti-tenant AI development platforms

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.5, A.9.4
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Exploitation Scenario

An attacker registers or compromises any low-privilege account in a multi-tenant Langflow deployment. They enumerate API key IDs by making sequential or pattern-based requests to the delete endpoint (e.g., DELETE /api/v1/api_keys/1, /2, /3...). Because the backend performs no ownership verification, the server deletes keys belonging to admins and other users without error. The attacker can systematically revoke all API keys in the system, causing immediate outages across all AI workflows, agent pipelines, and LLM integrations — effectively a targeted DoS on the organization's entire AI infrastructure. A more targeted variant would selectively delete only admin API keys while preserving their own access.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
March 20, 2026
Last Modified
June 6, 2026
First Seen
March 20, 2026

Related Vulnerabilities

CRITICAL CVE-2026-10561 10.0

Langflow: auth bypass + unauthenticated RCE (CVSS 10)

Same package: langflow
CRITICAL CVE-2026-55255 9.9

Langflow: IDOR allows cross-user flow execution

Same package: langflow
CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
Back to Threat Feed