CVE-2026-21445

CVE-2026-21445 is a critical authentication bypass vulnerability affecting Langflow, an open-source tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0.dev45, multiple critical API endpoints lack proper authentication controls, enabling unauthorized access to sensitive data and operations. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), highlighting its high severity due to network accessibility, low attack complexity, and no required privileges.

Any unauthenticated attacker with network access to a vulnerable Langflow instance can exploit this issue. Successful exploitation allows reading sensitive user conversation data and transaction histories, as well as performing destructive actions such as message deletion on endpoints that handle personal data and system operations. The vulnerability provides high-impact confidentiality and integrity violations without affecting availability.

The Langflow security advisory (GHSA-c5cp-vx83-jhqx) and associated patch commit (3fed9fe1b5658f2c8656dbd73508e113a96e486a) confirm that upgrading to version 1.7.0.dev45 resolves the issue by implementing required authentication controls on the affected endpoints. Security practitioners should prioritize updating instances and reviewing access logs for potential unauthorized activity.