CVE-2026-33484: Langflow Access Control bypass

Q: Is CVE-2026-33484 actively exploited?

No confirmed active exploitation of CVE-2026-33484 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33484?

1. IMMEDIATE: Upgrade Langflow to 1.9.0 which contains the patch for this endpoint. 2. If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only. 3. DETECTION: Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation. 4. ASSESS EXPOSURE: Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data. 5. For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

Q: What systems are affected by CVE-2026-33484?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM workflow builders, LLM orchestration pipelines.

Q: What is the CVSS score for CVE-2026-33484?

CVE-2026-33484 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.52%.

CISO Take

If your organization runs Langflow in a multi-tenant deployment, upgrade to 1.9.0 immediately — this is a zero-authentication file disclosure that requires only a UUID to exploit. Uploaded images from any user's workflow are accessible to unauthenticated attackers, and flow_ids can be harvested from other Langflow API responses, making enumeration trivial. Single-tenant instances behind network controls have lower immediate exposure but still require patching.

What is the risk?

High risk for any internet-exposed or internally multi-tenant Langflow deployment. CVSS 7.5 reflects the reality: network-accessible, zero privileges, zero user interaction required. The only barrier to exploitation is knowing a valid flow_id and filename — and flow_ids are UUIDs that leak through other Langflow API endpoints, making this effectively a zero-barrier attack. Organizations using Langflow for enterprise AI workflow building where images may contain sensitive business data (architecture diagrams, data visualizations, proprietary screenshots) face meaningful data exposure and potential breach notification obligations.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	>= 1.0.0, < 1.9.0	`1.9.0`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 40% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

IMMEDIATE

Upgrade Langflow to 1.9.0 which contains the patch for this endpoint.
If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only.
DETECTION

Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation.
ASSESS EXPOSURE

Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data.
For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Framework API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.3 - Access control for AI systems

NIST AI RMF

GOVERN 1.7 - Processes for AI risk are established and communicated

OWASP LLM Top 10

LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-33484?

If your organization runs Langflow in a multi-tenant deployment, upgrade to 1.9.0 immediately — this is a zero-authentication file disclosure that requires only a UUID to exploit. Uploaded images from any user's workflow are accessible to unauthenticated attackers, and flow_ids can be harvested from other Langflow API responses, making enumeration trivial. Single-tenant instances behind network controls have lower immediate exposure but still require patching.

Is CVE-2026-33484 actively exploited?

No confirmed active exploitation of CVE-2026-33484 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33484?

1. IMMEDIATE: Upgrade Langflow to 1.9.0 which contains the patch for this endpoint. 2. If patching is delayed: restrict network access to Langflow instances via firewall or network segmentation to trusted IP ranges only. 3. DETECTION: Review web server and application logs for unauthenticated requests to /api/v1/files/images/ — flag requests without Authorization headers, and look for sequential UUID enumeration patterns indicating active exploitation. 4. ASSESS EXPOSURE: Inventory what images were uploaded to your Langflow instance and assess whether any contained sensitive or regulated data. 5. For multi-tenant operators: evaluate breach notification obligations under GDPR/applicable regulations given potential cross-tenant data access.

What systems are affected by CVE-2026-33484?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-tenant AI platforms, LLM workflow builders, LLM orchestration pipelines.

What is the CVSS score for CVE-2026-33484?

CVE-2026-33484 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.52%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-tenant AI platformsLLM workflow buildersLLM orchestration pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.3

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.

Exploitation Scenario

An attacker targeting an organization using Langflow for AI agent development first identifies an exposed Langflow instance via Shodan, DNS enumeration, or prior reconnaissance. They then call any authenticated Langflow API endpoint that returns flow metadata — or leverage a low-privilege session — to harvest flow_ids. With a flow_id in hand, they issue unauthenticated HTTP GET requests to /api/v1/files/images/{flow_id}/{file_name}. By iterating over predictable filename patterns or using knowledge of Langflow's file naming conventions, they systematically download uploaded images from any user in the deployment. In a corporate context, this exfiltrates proprietary workflow diagrams, data samples, or screenshots used to configure AI agents — all without ever authenticating. The attack requires no AI/ML knowledge and can be scripted in minutes.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-284 Improper Access Control Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-862 Missing Authorization Primary CWE-862 Missing Authorization Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.