python · langflowCritical
Langflow IDOR Vulnerability in /api/v1/responses Endpoint Fixed in 1.9.1
An IDOR vulnerability in `/api/v1/responses` endpoint allowed authenticated attackers to execute any flow by specifying another user's flow ID.
What changed
An IDOR vulnerability in `/api/v1/responses` endpoint allowed authenticated attackers to execute any flow by specifying another user's flow ID. Fixed in Langflow 1.9.1 by enforcing user ownership checks in `get_flow_by_id_or_endpoint_name`.
Who it affects
All Langflow instances before 1.9.1; authenticated users could execute arbitrary flows belonging to other users.
What to do today
Upgrade to Langflow 1.9.1 or later immediately.
The trail
Collected→
Audited→
Written→
Published