AI Threat Alert
Langflow's `/logout` endpoint deleted auth cookies with mismatched parameters (httponly/samesite/secure/domain), causing browsers to silently retain `access_token_lf` and `refresh_token_lf` after logout; the frontend also failed to wipe them from Local Storage. In shared-workstation environments — AI labs, SOC consoles, developer hotdesks — an attacker with physical access can simply refresh the browser and inherit a previous user's full authenticated session, accessing configured LLM API keys, AI pipeline definitions, and any data processed by Langflow. With CVSS AV:P (physical access required), no public exploit, and no CISA KEV listing, this is not an emergency for air-gapped or single-user deployments, but any multi-user Langflow installation should treat it as P1. Upgrade to Langflow 1.7.0 immediately; until patched, instruct users to manually clear browser cookies and localStorage and restrict Langflow to non-shared machines.
What is the risk?
Medium severity with context-dependent impact. The CVSS AV:P vector confines exploitation to scenarios with physical or local browser access after a legitimate logout, but Langflow manages high-value AI assets — LLM API credentials, agentic workflow configurations, and sensitive pipeline data — which amplifies the consequence of even a low-friction session takeover. The package carries a 77/100 risk score and 53 cumulative CVEs, signaling a pattern of security debt warranting organizational risk review beyond this single finding. No public PoC or active exploitation detected.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | < 1.7.0 | 1.7.1 |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Patch: Upgrade to Langflow 1.7.0 or later — PRs #10527 and #10528 fix cookie deletion to match creation parameters and add frontend session cleanup.
-
Workaround (if unable to patch): Mandate that users manually clear browser cookies and localStorage after each session; consider a browser extension policy to auto-wipe on tab close.
-
Access restriction: Deploy Langflow exclusively on dedicated, single-user machines until patched.
-
Network scope: Ensure Langflow is not reachable from shared, public, or guest networks.
-
Detection: Review server access logs for sessions that remain active well beyond expected user activity windows or that resume without a preceding login event.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-55423?
Langflow's `/logout` endpoint deleted auth cookies with mismatched parameters (httponly/samesite/secure/domain), causing browsers to silently retain `access_token_lf` and `refresh_token_lf` after logout; the frontend also failed to wipe them from Local Storage. In shared-workstation environments — AI labs, SOC consoles, developer hotdesks — an attacker with physical access can simply refresh the browser and inherit a previous user's full authenticated session, accessing configured LLM API keys, AI pipeline definitions, and any data processed by Langflow. With CVSS AV:P (physical access required), no public exploit, and no CISA KEV listing, this is not an emergency for air-gapped or single-user deployments, but any multi-user Langflow installation should treat it as P1. Upgrade to Langflow 1.7.0 immediately; until patched, instruct users to manually clear browser cookies and localStorage and restrict Langflow to non-shared machines.
Is CVE-2026-55423 actively exploited?
No confirmed active exploitation of CVE-2026-55423 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55423?
1. Patch: Upgrade to Langflow 1.7.0 or later — PRs #10527 and #10528 fix cookie deletion to match creation parameters and add frontend session cleanup. 2. Workaround (if unable to patch): Mandate that users manually clear browser cookies and localStorage after each session; consider a browser extension policy to auto-wipe on tab close. 3. Access restriction: Deploy Langflow exclusively on dedicated, single-user machines until patched. 4. Network scope: Ensure Langflow is not reachable from shared, public, or guest networks. 5. Detection: Review server access logs for sessions that remain active well beyond expected user activity windows or that resume without a preceding login event.
What systems are affected by CVE-2026-55423?
This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration, agent frameworks, multi-user AI development environments.
What is the CVSS score for CVE-2026-55423?
CVE-2026-55423 has a CVSS v3.1 base score of 6.1 (MEDIUM).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0012 Valid Accounts AML.T0055 Unsecured Credentials AML.T0091.000 Application Access Token Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. ### Details Not in auto login mode. Hosted on localhost. `access_token_lf` remains present in both Local Storage and Cookies. `refresh_token_lf` remains present in Cookies. **Root cause:** the `/logout` endpoint deleted the authentication cookies without matching the original `httponly`/`samesite`/`secure`/`domain` parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout. ``` LANGFLOW_AUTO_LOGIN: "False" LANGFLOW_SUPERUSER: <set> LANGFLOW_SUPERUSER_PASSWORD: <set> LANGFLOW_SECRET_KEY: <set> LANGFLOW_NEW_USER_IS_ACTIVE: "False" LANGFLOW_ENABLE_SUPERUSER_CLI: "False" ``` ### PoC Click Logout. Hit refresh to return to previous screen. ### Impact Users on shared computers may falsely believe they have terminated their session. ### Patches Fixed in **1.7.0** (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to **1.7.0 or later**.
Exploitation Scenario
An attacker waits for a colleague to finish using a shared workstation running Langflow and click 'Logout.' Because the `/logout` endpoint uses mismatched cookie attributes, the browser ignores the deletion directive and retains both `access_token_lf` and `refresh_token_lf`. The attacker opens the same browser, navigates to the Langflow URL, and is automatically authenticated as the previous user — no credentials required, no visible anomaly in the UI. The attacker then navigates to pipeline settings to harvest LLM provider API keys, exports workflow definitions containing proprietary prompt logic, or modifies existing pipelines to insert a data exfiltration step that silently copies processed documents to an external endpoint on future runs.
Weaknesses (CWE)
CWE-613 — Insufficient Session Expiration: According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
- [Implementation] Set sessions/credentials expiration date.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2024-37014 9.8 Langflow: unauthenticated RCE via custom component API
Same package: langflow CVE-2026-33017 9.8 langflow: Code Injection enables RCE
Same package: langflow CVE-2026-27966 9.8 langflow: Code Injection enables RCE
Same package: langflow