CVE-2026-33484 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2026-33484 actively exploited?

No confirmed active exploitation of CVE-2026-33484 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33484?

1. IMMEDIATE: Upgrade Langflow to 1.9.0 which contains the patch for this endpoint. 2. If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only. 3. DETECTION: Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation. 4. ASSESS EXPOSURE: Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data. 5. For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

Q: What systems are affected by CVE-2026-33484?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM workflow builders, LLM orchestration pipelines.

Q: What is the CVSS score for CVE-2026-33484?

CVE-2026-33484 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.02%.

CISO Take

If your organization runs Langflow in a multi-tenant deployment, upgrade to 1.9.0 immediately — this is a zero-authentication file disclosure that requires only a UUID to exploit. Uploaded images from any user's workflow are accessible to unauthenticated attackers, and flow_ids can be harvested from other Langflow API responses, making enumeration trivial. Single-tenant instances behind network controls have lower immediate exposure but still require patching.

Risk Assessment

High risk for any internet-exposed or internally multi-tenant Langflow deployment. CVSS 7.5 reflects the reality: network-accessible, zero privileges, zero user interaction required. The only barrier to exploitation is knowing a valid flow_id and filename — and flow_ids are UUIDs that leak through other Langflow API endpoints, making this effectively a zero-barrier attack. Organizations using Langflow for enterprise AI workflow building where images may contain sensitive business data (architecture diagrams, data visualizations, proprietary screenshots) face meaningful data exposure and potential breach notification obligations.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	>= 1.0.0, <= 1.8.1	No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

5 steps

IMMEDIATE

Upgrade Langflow to 1.9.0 which contains the patch for this endpoint.
If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only.
DETECTION

Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation.
ASSESS EXPOSURE

Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data.
For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Privacy Violation Framework API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes for AI risk are established and communicated

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-33484?

If your organization runs Langflow in a multi-tenant deployment, upgrade to 1.9.0 immediately — this is a zero-authentication file disclosure that requires only a UUID to exploit. Uploaded images from any user's workflow are accessible to unauthenticated attackers, and flow_ids can be harvested from other Langflow API responses, making enumeration trivial. Single-tenant instances behind network controls have lower immediate exposure but still require patching.

Is CVE-2026-33484 actively exploited?

No confirmed active exploitation of CVE-2026-33484 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33484?

1. IMMEDIATE: Upgrade Langflow to 1.9.0 which contains the patch for this endpoint. 2. If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only. 3. DETECTION: Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation. 4. ASSESS EXPOSURE: Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data. 5. For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

What systems are affected by CVE-2026-33484?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM workflow builders, LLM orchestration pipelines.

What is the CVSS score for CVE-2026-33484?

CVE-2026-33484 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.

Exploitation Scenario

An attacker targeting an organization using Langflow for AI agent development first identifies an exposed Langflow instance via Shodan, DNS enumeration, or prior reconnaissance. They then call any authenticated Langflow API endpoint that returns flow metadata — or leverage a low-privilege session — to harvest flow_ids. With a flow_id in hand, they issue unauthenticated HTTP GET requests to /api/v1/files/images/{flow_id}/{file_name}. By iterating over predictable filename patterns or using knowledge of Langflow's file naming conventions, they systematically download uploaded images from any user in the deployment. In a corporate context, this exfiltrates proprietary workflow diagrams, data samples, or screenshots used to configure AI agents — all without ever authenticating. The attack requires no AI/ML knowledge and can be scripted in minutes.