CVE-2026-34046 — UNKNOWN | AI Threat Alert

Q: Is CVE-2026-34046 actively exploited?

No confirmed active exploitation of CVE-2026-34046 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-34046?

1. Patch immediately: upgrade langflow to ≥1.5.1 or langflow-base to ≥0.5.1. 2. Rotate all LLM provider API keys stored in any Langflow flow — assume they are compromised in any pre-1.5.1 multi-user deployment. 3. If patching is not immediately possible, restrict to single-user mode (AUTO_LOGIN=True) or block external network access via firewall rules. 4. Audit Langflow API access logs for cross-user flow UUID access patterns — look for flow reads by users who do not own those flows. 5. Review all flow definitions for signs of logic tampering, especially added nodes or modified tool configurations.

Q: What systems are affected by CVE-2026-34046?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow orchestration, RAG pipelines, multi-tenant LLM deployments.

Q: What is the CVSS score for CVE-2026-34046?

No CVSS score has been assigned yet.

CISO Take

Any Langflow deployment with authentication enabled and multiple users is fully compromised at the data layer — any authenticated user can read, modify, or delete any other user's AI agent flows, including embedded plaintext LLM API keys. Upgrade to Langflow 1.5.1 immediately and rotate all API keys stored in flows. Treat every multi-user Langflow instance running a version prior to 1.5.1 as fully breached.

What is the risk?

HIGH severity despite the missing CVSS score. Exploitation requires only a valid Langflow account with no elevated privileges. The mechanics are trivial: supply another user's flow UUID to the standard REST API endpoint. The blast radius is severe — LLM provider API keys (OpenAI, Anthropic, etc.) are embedded in plaintext in flow definitions, agent logic can be silently backdoored, and production workflows can be deleted. Multi-tenant SaaS deployments and team-shared Langflow instances face the highest exposure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.5.0	`1.5.1`
147.9K Pushed 3d ago 31% patched ~53d to patch Full package profile →
langflow-base	pip	<= 0.5.0	`0.5.1`
147.9K Pushed 3d ago 31% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

Patch immediately: upgrade langflow to ≥1.5.1 or langflow-base to ≥0.5.1.
Rotate all LLM provider API keys stored in any Langflow flow — assume they are compromised in any pre-1.5.1 multi-user deployment.
If patching is not immediately possible, restrict to single-user mode (AUTO_LOGIN=True) or block external network access via firewall rules.
Audit Langflow API access logs for cross-user flow UUID access patterns — look for flow reads by users who do not own those flows.
Review all flow definitions for signs of logic tampering, especially added nodes or modified tool configurations.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Framework Agent API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.2 - AI System Roles and Responsibilities A.7.3 - Data Governance for AI Systems

NIST AI RMF

GOVERN-6.1 - Third-Party AI Risk Policies PROTECT-2.2 - Access Management for AI Assets

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-34046?

Any Langflow deployment with authentication enabled and multiple users is fully compromised at the data layer — any authenticated user can read, modify, or delete any other user's AI agent flows, including embedded plaintext LLM API keys. Upgrade to Langflow 1.5.1 immediately and rotate all API keys stored in flows. Treat every multi-user Langflow instance running a version prior to 1.5.1 as fully breached.

Is CVE-2026-34046 actively exploited?

No confirmed active exploitation of CVE-2026-34046 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34046?

1. Patch immediately: upgrade langflow to ≥1.5.1 or langflow-base to ≥0.5.1. 2. Rotate all LLM provider API keys stored in any Langflow flow — assume they are compromised in any pre-1.5.1 multi-user deployment. 3. If patching is not immediately possible, restrict to single-user mode (AUTO_LOGIN=True) or block external network access via firewall rules. 4. Audit Langflow API access logs for cross-user flow UUID access patterns — look for flow reads by users who do not own those flows. 5. Review all flow definitions for signs of logic tampering, especially added nodes or modified tool configurations.

What systems are affected by CVE-2026-34046?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, workflow orchestration, RAG pipelines, multi-tenant LLM deployments.

What is the CVSS score for CVE-2026-34046?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.

Exploitation Scenario

An attacker registers or compromises any valid Langflow account in a multi-user deployment. They call GET /api/v1/flows/{uuid} iterating UUIDs (which are sequential or discoverable via timing), receiving full flow JSON including plaintext API keys for connected LLM providers. They exfiltrate the keys for unauthorized LLM API usage or lateral movement into connected services. They then issue a PATCH request to silently modify a victim's flow — injecting a malicious tool node or system prompt that persists across future agent executions — poisoning the AI agent's behavior without any visible indication to the legitimate owner.