AI Threat Alert AI Threat Alert

CVE-2026-6598

MEDIUM
Published April 20, 2026

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument...

Full CISO analysis pending enrichment.

Severity & Risk

CVSS 3.1
4.3 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C Low
I None
A None

Recommended Action

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-6598?

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure b

Is CVE-2026-6598 actively exploited?

No confirmed active exploitation of CVE-2026-6598 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6598?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-6598?

CVE-2026-6598 has a CVSS v3.1 base score of 4.3 (MEDIUM).

Technical Details

NVD Description

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Weaknesses (CWE)

CWE-312 Primary CWE-313 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Timeline

Published
April 20, 2026
Last Modified
April 20, 2026
First Seen
April 20, 2026
Back to Threat Feed