If your organization runs Langflow in a multi-tenant deployment, upgrade to 1.9.0 immediately — this is a zero-authentication file disclosure that requires only a UUID to exploit. Uploaded images from any user's workflow are accessible to unauthenticated attackers, and flow_ids can be harvested from other Langflow API responses, making enumeration trivial. Single-tenant instances behind network controls have lower immediate exposure but still require patching.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | >= 1.0.0, <= 1.8.1 | No patch |
Do you use langflow? You're affected.
Severity & Risk
Recommended Action
- 1. IMMEDIATE: Upgrade Langflow to 1.9.0 which contains the patch for this endpoint. 2. If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only. 3. DETECTION: Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation. 4. ASSESS EXPOSURE: Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data. 5. For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
Exploitation Scenario
An attacker targeting an organization using Langflow for AI agent development first identifies an exposed Langflow instance via Shodan, DNS enumeration, or prior reconnaissance. They then call any authenticated Langflow API endpoint that returns flow metadata — or leverage a low-privilege session — to harvest flow_ids. With a flow_id in hand, they issue unauthenticated HTTP GET requests to /api/v1/files/images/{flow_id}/{file_name}. By iterating over predictable filename patterns or using knowledge of Langflow's file naming conventions, they systematically download uploaded images from any user in the deployment. In a corporate context, this exfiltrates proprietary workflow diagrams, data samples, or screenshots used to configure AI agents — all without ever authenticating. The attack requires no AI/ML knowledge and can be scripted in minutes.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5 Exploit Vendor
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5 Exploit Vendor
- github.com/advisories/GHSA-7grx-3xcx-2xv5
- github.com/advisories/GHSA-7grx-3xcx-2xv5
- github.com/advisories/GHSA-7grx-3xcx-2xv5
- github.com/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5 Exploit Vendor
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5
- github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5 Exploit Vendor