Home / Vulnerability Intelligence / CVE-2026-33484

CVE-2026-33484 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 24, 2026

Langflow - Broken Access Control

Published: March 24, 2026Updated: March 24, 2026PoC AvailableRemote Exploitable

Overview

Langflow 1.0.0 through 1.8.1 contains an information disclosure vulnerability caused by lack of authentication and ownership checks in the /api/v1/files/images/{flow_id}/{file_name} endpoint, letting unauthenticated attackers download any user's images by guessing flow_id, exploit requires knowledge or guess of flow_id.

Severity & Score

Severity: High

CVSS Score: 7.5

EPSS Score: 1.7%(Probability of exploitation in next 30 days)

Impact

Attackers can download any user's uploaded images without credentials, leading to unauthorized data disclosure.

Mitigation

Upgrade to version 1.9.0 or later.

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-7grx-3xcx-2xv5

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🟠 CVE-2026-33484 - High (7.5) Langflow is a tool for building and deploying AI-powered agents and workflows. In versions 1.0.0 through 1.8.1, the `/api/v1/files/images/{flow_id}/{file_name}` endpoint serves image files without any authentication or ownership check. Any unauthe... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33484/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33484
Severity: High
CVSS Score: 7.5
Type: broken_access_control
Status: confirmed
EPSS: 1.7%
Social Posts: 1

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score

1.7%Probability of exploitation in the next 30 days