Faizankolega

**Name of the Vulnerable Software and Affected Versions** Langflow versions prior to 1.9.0 **Description** Langflow is a tool for building and deploying AI-powered agents and workflows. The `delete api key route()` endpoint, which accepts the `api key id` path parameter, performs only a generic authentication check. The `delete api key()` function does not verify if the API key belongs to the current user before deleting it. This allows an authenticated attacker to enumerate and delete API keys belonging to other users by guessing or discovering their API key IDs, potentially leading to account takeover, denial of service, and disruption of integrations. The vulnerable code is located in src/backend/base/langflow/api/v1/api key.py lines 44-53. The `delete api key()` function in crud.py lines 44-49 retrieves the API key by ID and deletes it without checking ownership. **Recommendations** Modify the `delete api key` endpoint and function: Pass `current user` to the `delete` function. In `delete api key()`, verify `api key.user id == current user.id` before deletion. Raise a 403 Forbidden error if the user does not own the key.