CVE-2026-33497
Langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.
| CWE | CWE-22 |
| Vendor | langflow-ai |
| Product | langflow |
| Published | Mar 24, 2026 |
| Last Updated | Mar 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for langflow-ai langflow
Be the first to know when new unknown vulnerabilities affecting langflow-ai langflow are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
langflow-ai / langflow
< 1.7.1