CVE-2024-7297
Published: 30 July 2024
Summary
CVE-2024-7297 is a high-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Langflow Langflow. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 12.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: Data from Information Repositories (AML.T0036), AI Model Inference API Access (AML.T0040), AML.T0045.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48240
Vulnerability details
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Langflow is an open-source visual low-code platform for building multi-agent, RAG, and LLM-based AI applications using LangChain components, classifying it as an AI development platform.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-7297 enables privilege escalation from low-privileged to super admin via mass assignment exploitation on the /api/v1/users endpoint.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring explicit authorization and ongoing control of mobile code implements proper management of dynamically loaded code resources.