GHSA-7GRX-3XCX-2XV5

Vulnerability from github – Published: 2026-03-20 20:47 – Updated: 2026-03-25 20:53
VLAI?
Summary
langflow has Unauthenticated IDOR on Image Downloads
Details

Summary

The /api/v1/files/images/{flow_id}/{file_name} endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.

Details

src/backend/base/langflow/api/v1/files.py:138-164download_image takes flow_id: UUID as a bare path parameter with no Depends(get_flow) or CurrentActiveUser. All other file routes (download_file, upload_file, list_files, delete_file) use Depends(get_flow) which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.

PoC

curl -v "http://localhost:7860/api/v1/files/images/<flow_uuid>/<filename.png>"
# Returns HTTP 200 with image bytes, no auth header required

Impact

Unauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a flow_id (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials.

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0"
            },
            {
              "last_affected": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33484"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-639",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:47:10Z",
    "nvd_published_at": "2026-03-24T14:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the image with HTTP 200.\n\n### Details\n`src/backend/base/langflow/api/v1/files.py:138-164` \u2014 `download_image` takes `flow_id`: UUID as a bare path parameter with no Depends(get_flow) or `CurrentActiveUser`. All other file routes (`download_file`, `upload_file`, `list_files`, `delete_file`) use `Depends(get_flow)` which enforces both authentication and ownership. There is no global auth middleware on /api/v1; protection is per-endpoint only.\n\n### PoC\n```\ncurl -v \"http://localhost:7860/api/v1/files/images/\u003cflow_uuid\u003e/\u003cfilename.png\u003e\"\n# Returns HTTP 200 with image bytes, no auth header required\n```\n\n### Impact\nUnauthenticated cross-tenant data leak. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user\u0027s uploaded images without credentials.",
  "id": "GHSA-7grx-3xcx-2xv5",
  "modified": "2026-03-25T20:53:47Z",
  "published": "2026-03-20T20:47:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33484"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "langflow has Unauthenticated IDOR on Image Downloads"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.