CVE-2026-33497

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.7.1

Description Langflow is a tool for building and deploying AI-powered agents and workflows. In the download profile picture function of the /profile pictures/{folder name}/{file name} API endpoint, the folder name and file name parameters are not strictly filtered. This allows an attacker to read the secret key across directories. The secret key is used for JWT authentication, enabling attackers to forge authentication tokens and log into the system.

Recommendations Versions prior to 1.7.1 should be updated to version 1.7.1 or later.