CVE-2026-33484
Published: 24 March 2026
Summary
CVE-2026-33484 is a high-severity Improper Access Control (CWE-284) vulnerability in Langflow Langflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly preventing unauthenticated retrieval of user images via the vulnerable endpoint.
AC-14 requires explicit identification and authorization of actions performable without authentication, mitigating the endpoint's permission of unauthorized image serving.
AC-6 enforces least privilege to restrict access to only authorized users, addressing unauthorized downloads of other tenants' images in multi-tenant deployments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln is unauthenticated remote access to uploaded image files via public /api endpoint in Langflow (T1190); directly enables retrieval of sensitive files stored on the server (T1005).
NVD Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthenticated request with a known flow_id and file_name returns the…
more
image with HTTP 200. In a multi-tenant deployment, any attacker who can discover or guess a `flow_id` (UUIDs can be leaked through other API responses) can download any user's uploaded images without credentials. Version 1.9.0 contains a patch.
Deeper analysisAI
CVE-2026-33484 is a vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. It affects versions 1.0.0 through 1.8.1, where the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership checks. Any unauthenticated HTTP request providing a known flow_id and file_name receives the image with a 200 response.
The vulnerability enables unauthenticated remote attackers to exploit it over the network with low complexity and no privileges. In multi-tenant deployments, attackers who discover or guess a flow_id—possible via UUIDs leaked through other API responses—can download any user's uploaded images without credentials. This yields high confidentiality impact, reflected in a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and linked to CWEs-284 (Improper Access Control), CWE-639 (Authorization Bypass Through User-Controlled Key), and CWE-862 (Missing Authorization).
The GitHub security advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5 documents the issue and confirms that Langflow version 1.9.0 includes a patch addressing the lack of authentication and ownership verification on the endpoint.
Langflow's role in AI agent and workflow deployments underscores the need for secure file handling in multi-tenant AI platforms, as exposed images could contain sensitive data used in AI processing.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai