CVE-2026-33053

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Vulnerability Details

Published Date

March 18, 2026

Last Modified

March 20, 2026

CWE ID

CWE-639

Source

GitHub

Vendor

pip

Product

langflow

External References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w
https://github.com/langflow-ai/langflow/commit/fdc1b3b1448ff3317d73d3e769a6c4a1717f74d7
https://github.com/langflow-ai/langflow/releases/tag/1.7.2
https://github.com/advisories/GHSA-rf6x-r45m-xv3w

CVE-2026-33053

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment