CVE-2026-33053
Langflow has Missing Ownership Verification in API Key Deletion (IDOR)
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
15th
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.
| CWE | CWE-639 |
| Vendor | langflow-ai |
| Product | langflow |
| Published | Mar 20, 2026 |
| Last Updated | Mar 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for langflow-ai langflow
Be the first to know when new unknown vulnerabilities affecting langflow-ai langflow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
langflow-ai / langflow
< 1.9.0