PT-2026-28736 · Langflow+1 · Langflow
Published
2026-03-27
·
Updated
2026-03-27
·
CVE-2026-5022
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
The '/api/v1/files/images/{flow id}/{file name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Langflow