CVE-2026-55423

The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.

Not in auto login mode. Hosted on localhost. access token lf remains present in both Local Storage and Cookies. refresh token lf remains present in Cookies.

Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.

LANGFLOW AUTO LOGIN: "False"
LANGFLOW SUPERUSER: <set>
LANGFLOW SUPERUSER PASSWORD: <set>
LANGFLOW SECRET KEY: <set>
LANGFLOW NEW USER IS ACTIVE: "False"
LANGFLOW ENABLE SUPERUSER CLI: "False"

Click Logout. Hit refresh to return to previous screen.

Users on shared computers may falsely believe they have terminated their session.

Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.