CVE-2026-34046 — UNKNOWN AI Security Vulnerability

CISO Take

Any Langflow deployment with authentication enabled and multiple users is fully compromised at the data layer — any authenticated user can read, modify, or delete any other user's AI agent flows, including embedded plaintext LLM API keys. Upgrade to Langflow 1.5.1 immediately and rotate all API keys stored in flows. Treat every multi-user Langflow instance running a version prior to 1.5.1 as fully breached.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.5.0	`1.5.1`
langflow-base	pip	<= 0.5.0	`0.5.1`

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. Patch immediately: upgrade langflow to ≥1.5.1 or langflow-base to ≥0.5.1. 2. Rotate all LLM provider API keys stored in any Langflow flow — assume they are compromised in any pre-1.5.1 multi-user deployment. 3. If patching is not immediately possible, restrict to single-user mode (AUTO_LOGIN=True) or block external network access via firewall rules. 4. Audit Langflow API access logs for cross-user flow UUID access patterns — look for flow reads by users who do not own those flows. 5. Review all flow definitions for signs of logic tampering, especially added nodes or modified tool configurations.

Classification

Auth Bypass Data Extraction Data Leakage Framework Agent API AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art. 9 - Risk Management System

ISO 42001

A.6.2 - AI System Roles and Responsibilities A.7.3 - Data Governance for AI Systems

NIST AI RMF

GOVERN-6.1 - Third-Party AI Risk Policies PROTECT-2.2 - Access Management for AI Assets

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.5.1, the `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This allowed any authenticated user to read any other user's flow, including embedded plaintext API keys; modify the logic of another user's AI agents, and/or delete flows belonging to other users. The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. The fix in version 1.5.1 removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user.

Exploitation Scenario

An attacker registers or compromises any valid Langflow account in a multi-user deployment. They call GET /api/v1/flows/{uuid} iterating UUIDs (which are sequential or discoverable via timing), receiving full flow JSON including plaintext API keys for connected LLM providers. They exfiltrate the keys for unauthorized LLM API usage or lateral movement into connected services. They then issue a PATCH request to silently modify a victim's flow — injecting a malicious tool node or system prompt that persists across future agent executions — poisoning the AI agent's behavior without any visible indication to the legitimate owner.

Weaknesses (CWE)

CWE-639 Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-862 Primary CWE-862 Missing Authorization Primary

References

Timeline

Published

March 27, 2026

Last Modified

March 27, 2026

First Seen

March 27, 2026