CVE-2026-21445CRITICAL 9.1EPSS p97.3%

CVE-2026-21445CVE-2026-21445

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS21.26% probability of exploitation · percentile 97.3% · 2026-06-18T12:00:27Z
Published2026-01-02
Last modified2026-01-16

Underlying weaknesses· 1

CWE-306

References

  1. https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a
  2. https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34046
CVE
Langflow Missing Authentication Vulnerability
CVE
Langflow Code Injection Vulnerability
CVE
CVE-2026-33053
CVE
CVE-2026-42048
CVE
CVE-2026-33873
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.