AI Threat Alert

CVE-2026-6597: langflow: Plaintext credential storage via Flow API

GHSA-5jjf-wcvf-923w LOW CISA: TRACK*
Published April 20, 2026
CISO Take

Langflow versions up to 1.8.3 fail to properly sanitize API keys during flow processing — the remove_api_keys and has_api_terms functions leave LLM provider credentials (OpenAI, Anthropic, etc.) stored in plaintext within exported flow configurations. While the CVSS score of 2.7 reflects the high-privilege prerequisite, the real-world blast radius is larger than the score suggests: any admin account compromise in a langflow deployment leads directly to theft of all embedded API keys, enabling cost harvesting at the victim's expense or data exfiltration via LLM inference calls. EPSS is effectively zero (0.0001) and this CVE is not in CISA KEV, so broad active exploitation is unlikely, but a public proof-of-concept is referenced on GitHub and no patched version currently exists. Mitigate now by rotating any API keys stored in langflow flows, restricting admin access to trusted internal networks, and moving credentials to a secrets manager rather than embedding them in flow configs.

Sources: NVD EPSS ATLAS GitHub Advisory OpenSSF

What is the risk?

Low CVSS severity (2.7) is driven by the PR:H requirement, but the contextual risk for AI deployments is meaningfully higher. Langflow flows routinely embed third-party LLM API keys that represent substantial monthly API spend and access to sensitive data pipelines. Package risk score of 77/100 and 40 prior CVEs in this package signal a pattern of security hygiene issues. No patch exists, a public PoC lowers the exploitation bar post-compromise, and the CISA SSVC TRACK_STAR designation confirms it warrants monitoring even absent active KEV listing.

How does the attack unfold?

Initial Access
Attacker compromises an admin account on a public-facing langflow instance through credential stuffing, phishing, or abuse of a shared/default credential.
AML.T0012
Credential Extraction
Using admin privileges, attacker calls the Flow API to export saved flows; the flawed remove_api_keys sanitization logic returns flows containing plaintext LLM provider API keys.
AML.T0055
Lateral Movement
Extracted API keys are used to authenticate directly to LLM providers (OpenAI, Anthropic, etc.) as the victim organization, accessing connected data sources and AI services.
AML.T0083
Impact
Attacker runs high-volume inference requests billed to the victim or exfiltrates sensitive data from RAG-connected stores, causing financial harm and data confidentiality breach.
AML.T0034

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip <= 1.8.3 No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
2.7 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C Low
I None
A None

What should I do?

1 step

  1. 1) Immediately export and audit all langflow flow configurations for embedded plaintext API keys. 2) Rotate any exposed LLM provider API keys (OpenAI, Anthropic, Google, etc.) regardless of suspected exploitation. 3) Restrict langflow admin access to internal networks or VPN — since PR:H is required, preventing admin account compromise is the primary control. 4) Replace embedded keys with environment variable references or integrate a secrets manager (HashiCorp Vault, AWS Secrets Manager). 5) Monitor LLM provider usage dashboards for anomalous API consumption. 6) Track the langflow release channel for a patched version; no fix exists for <= 1.8.3.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Data Extraction Framework API AML.T0012 AML.T0049 AML.T0055 AML.T0083 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.4 - Authentication information management
NIST AI RMF
MANAGE 2.2 - Risk treatment mechanisms for AI systems
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-6597?

Langflow versions up to 1.8.3 fail to properly sanitize API keys during flow processing — the remove_api_keys and has_api_terms functions leave LLM provider credentials (OpenAI, Anthropic, etc.) stored in plaintext within exported flow configurations. While the CVSS score of 2.7 reflects the high-privilege prerequisite, the real-world blast radius is larger than the score suggests: any admin account compromise in a langflow deployment leads directly to theft of all embedded API keys, enabling cost harvesting at the victim's expense or data exfiltration via LLM inference calls. EPSS is effectively zero (0.0001) and this CVE is not in CISA KEV, so broad active exploitation is unlikely, but a public proof-of-concept is referenced on GitHub and no patched version currently exists. Mitigate now by rotating any API keys stored in langflow flows, restricting admin access to trusted internal networks, and moving credentials to a secrets manager rather than embedding them in flow configs.

Is CVE-2026-6597 actively exploited?

No confirmed active exploitation of CVE-2026-6597 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6597?

1) Immediately export and audit all langflow flow configurations for embedded plaintext API keys. 2) Rotate any exposed LLM provider API keys (OpenAI, Anthropic, Google, etc.) regardless of suspected exploitation. 3) Restrict langflow admin access to internal networks or VPN — since PR:H is required, preventing admin account compromise is the primary control. 4) Replace embedded keys with environment variable references or integrate a secrets manager (HashiCorp Vault, AWS Secrets Manager). 5) Monitor LLM provider usage dashboards for anomalous API consumption. 6) Track the langflow release channel for a patched version; no fix exists for <= 1.8.3.

What systems are affected by CVE-2026-6597?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow automation, agent frameworks, multi-model orchestration pipelines, API integration pipelines.

What is the CVSS score for CVE-2026-6597?

CVE-2026-6597 has a CVSS v3.1 base score of 2.7 (LOW). The EPSS exploitation probability is 0.32%.

What is the AI security impact?

Affected AI Architectures

LLM workflow automationagent frameworksmulti-model orchestration pipelinesAPI integration pipelines

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0083 Credentials from AI Agent Configuration
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.4
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker gains admin access to a public-facing langflow instance via credential stuffing against a reused password or phishing of a developer account. Using their admin session, they call the Flow API to export all saved flows. Due to the flawed remove_api_keys sanitization logic, the export returns flows containing plaintext OpenAI and Anthropic API keys. The attacker harvests these keys and begins running high-throughput inference requests billed to the victim organization, or uses the keys to query internal data indexed in connected vector stores, exfiltrating proprietary business data.

Weaknesses (CWE)

CWE-255 Primary CWE-256 Plaintext Storage of a Password Primary CWE-256 Plaintext Storage of a Password Primary

CWE-256 — Plaintext Storage of a Password: The product stores a password in plaintext within resources such as memory or files.

  • [Architecture and Design] Avoid storing passwords in easily accessible locations.
  • [Architecture and Design] Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
April 20, 2026
Last Modified
April 24, 2026
First Seen
April 20, 2026

Related Vulnerabilities

CRITICAL CVE-2026-10561 10.0

Langflow: auth bypass + unauthenticated RCE (CVSS 10)

Same package: langflow
CRITICAL CVE-2026-55255 9.9

Langflow: IDOR allows cross-user flow execution

Same package: langflow
CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
Back to Threat Feed