CVE-2026-33484 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: March 24, 2026
Langflow - Broken Access Control
Published: March 24, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable
Overview
Langflow 1.0.0 through 1.8.1 contains an information disclosure vulnerability caused by lack of authentication and ownership checks in the /api/v1/files/images/{flow_id}/{file_name} endpoint, letting unauthenticated attackers download any user's images by guessing flow_id, exploit requires knowledge or guess of flow_id.
Severity & Score
Severity: High
CVSS Score: 7.5
Impact
Attackers can download any user's uploaded images without credentials, leading to unauthorized data disclosure.
Mitigation
Upgrade to version 1.9.0 or later.
Related Resources
Details
- CVE ID
- CVE-2026-33484
- Severity
- High
- CVSS Score
- 7.5
- Type
- broken_access_control
- Status
- confirmed
CWE
- CWE-284
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N