Cyber Resilience

CVE-2026-33053

Medium

Published: 20 March 2026

Published
20 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-33053 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Langflow Langflow. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33053 is an authorization bypass vulnerability (CWE-639) in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. It affects versions prior to 1.9.0 and was published on 2026-03-20. The issue lies in the delete_api_key_route() endpoint, which accepts an api_key_id path parameter and deletes the specified API key after only a generic authentication check via the get_current_active_user dependency. However, the delete_api_key() CRUD function does not verify that the API key belongs to the current user, allowing deletion of arbitrary API keys. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A low-privileged authenticated attacker can exploit this over the network with low attack complexity and no user interaction. By providing the api_key_id of any target API key, the attacker bypasses ownership checks and deletes it, potentially disrupting other users' access to Langflow workflows and achieving high impacts on confidentiality, integrity, and availability.

The GitHub security advisory (GHSA-rf6x-r45m-xv3w) at https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w addresses this issue, with mitigation achieved by upgrading to Langflow 1.9.0 or later, where proper ownership verification is enforced in the delete_api_key() function.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD…

more

function does NOT verify that the API key belongs to the current user before deletion.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

Authorization bypass in delete_api_key endpoint directly enables unauthorized deletion of arbitrary user API keys, matching the Account Access Removal technique by disrupting authenticated access to workflows.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33484Same product: Langflow Langflow
CVE-2026-0769Same product: Langflow Langflow
CVE-2026-33497Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-0768Same product: Langflow Langflow
CVE-2026-33475Same product: Langflow Langflow
CVE-2026-33017Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-7528Same product: Langflow Langflow

Affected Assets

langflow
langflow
≤ 1.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly mitigating the missing ownership verification in the delete_api_key() function that allows deletion of arbitrary API keys.

prevent

AC-6 implements least privilege, restricting authenticated users to deleting only their own API keys and preventing unauthorized deletions of others' keys.

prevent

IA-5 manages authenticators such as API keys throughout their lifecycle, including procedures to ensure only owners can revoke or delete them.

References