CVE-2026-21445

UNKNOWN 0.0

Langflow Missing Authentication on Critical API Endpoints

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints in Langflow are missing authentication controls. The issue allows any unauthenticated user to access sensitive user conversation data, transaction histories, and perform destructive operations including message deletion. This affects endpoints handling personal data and system operations that should require proper authorization. Version 1.7.0.dev45 contains a patch.

CWE	CWE-306
Vendor	langflow-ai
Product	langflow
Published	Jan 2, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for langflow-ai langflow

Be the first to know when new unknown vulnerabilities affecting langflow-ai langflow are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

langflow-ai / langflow

< 1.7.0.dev45

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/langflow-ai/langflow/security/advisories/GHSA-c5cp-vx83-jhqx github.com: https://github.com/langflow-ai/langflow/commit/3fed9fe1b5658f2c8656dbd73508e113a96e486a