CVE-2026-33053

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33053

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33053.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33053

Aliases

Published

2026-03-20T06:53:48.471Z

Modified

2026-05-20T08:11:18.414994216Z

Severity

6.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:L CVSS Calculator

Summary

Langflow has Missing Ownership Verification in API Key Deletion (IDOR)

Details

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the deleteapikeyroute() endpoint accepts an apikeyid path parameter and deletes it with only a generic authentication check (getcurrentactiveuser dependency). However, the deleteapikey() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33053.json",
    "cwe_ids": [
        "CWE-639"
    ]
}

References

Affected packages

Git / github.com/langflow-ai/langflow

Affected ranges

Type: GIT
Repo: https://github.com/langflow-ai/langflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7f3b01629629d3229550259d2a969525b2a09391

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33053.json"