GHSA-7hw8-6q6r-4276

Source

https://github.com/advisories/GHSA-7hw8-6q6r-4276

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7hw8-6q6r-4276/GHSA-7hw8-6q6r-4276.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7hw8-6q6r-4276

Aliases

CVE-2026-55423

Published

2026-06-19T21:17:01Z

Modified

2026-06-19T21:30:11.520969878Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Langflow: Logout button does not clear session

Details

Summary

The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.

Details

Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.

Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.

LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER: <set>
LANGFLOW_SUPERUSER_PASSWORD: <set>
LANGFLOW_SECRET_KEY: <set>
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"

PoC

Click Logout. Hit refresh to return to previous screen.

Impact

Users on shared computers may falsely believe they have terminated their session.

Patches

Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:17:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-613"
    ]
}

References

Affected packages

PyPI / langflow

Package

Name: langflow; View open source insights on deps.dev
Purl: pkg:pypi/langflow

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.7.1

Affected versions

0.*

0.0.31

0.0.32

0.0.33

0.0.40

0.0.44

0.0.45

0.0.46

0.0.52

0.0.53

0.0.54

0.0.55

0.0.56

0.0.57

0.0.58

0.0.61

0.0.62

0.0.63

0.0.64

0.0.65

0.0.66

0.0.67

0.0.68

0.0.69

0.0.70

0.0.71

0.0.72

0.0.73

0.0.74

0.0.75

0.0.76

0.0.78

0.0.79

0.0.80

0.0.81

0.0.83

0.0.84

0.0.85

0.0.86

0.0.87

0.0.88

0.0.89

0.1.0

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.14

0.4.15

0.4.16

0.4.17

0.4.18

0.4.19

0.4.20

0.4.21

0.5.0a0

0.5.0a1

0.5.0a2

0.5.0a3

0.5.0a4

0.5.0a5

0.5.0a6

0.5.0b0

0.5.0b2

0.5.0b3

0.5.0b4

0.5.0b5

0.5.0b6

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.6.0rc1

0.6.0

0.6.1

0.6.2

0.6.3a0

0.6.3a1

0.6.3a2

0.6.3a3

0.6.3a4

0.6.3a5

0.6.3a6

0.6.3a7

0.6.3

0.6.4a0

0.6.4a1

0.6.4

0.6.5a0

0.6.5a1

0.6.5a2

0.6.5a3

0.6.5a4

0.6.5a5

0.6.5a6

0.6.5a7

0.6.5a8

0.6.5a9

0.6.5a10

0.6.5a11

0.6.5a12

0.6.5a13

0.6.5

0.6.6

0.6.7a1

0.6.7a2

0.6.7a3

0.6.7a5

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.14

0.6.15

0.6.16

0.6.17

0.6.18

0.6.19

1.*

1.0.0a0

1.0.0a1

1.0.0a2

1.0.0a3

1.0.0a4

1.0.0a5

1.0.0a6

1.0.0a7

1.0.0a8

1.0.0a9

1.0.0a10

1.0.0a11

1.0.0a12

1.0.0a13

1.0.0a14

1.0.0a15

1.0.0a17

1.0.0a18

1.0.0a19

1.0.0a20

1.0.0a21

1.0.0a22

1.0.0a23

1.0.0a24

1.0.0a25

1.0.0a26

1.0.0a27

1.0.0a28

1.0.0a29

1.0.0a30

1.0.0a31

1.0.0a32

1.0.0a33

1.0.0a34

1.0.0a35

1.0.0a36

1.0.0a37

1.0.0a38

1.0.0a39

1.0.0a40

1.0.0a41

1.0.0a42

1.0.0a43

1.0.0a44

1.0.0a45

1.0.0a46

1.0.0a47

1.0.0a48

1.0.0a49

1.0.0a50

1.0.0a51

1.0.0a52

1.0.0a53

1.0.0a55

1.0.0a56

1.0.0a57

1.0.0a58

1.0.0a59

1.0.0a60

1.0.0a61

1.0.0rc0

1.0.0rc1

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.15

1.0.16

1.0.17

1.0.18

1.0.19

1.0.19.post1

1.0.19.post2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.4.post1

1.2.0

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.5.0.post1

1.5.0.post2

1.5.1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.7.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-7hw8-6q6r-4276/GHSA-7hw8-6q6r-4276.json"

last_known_affected_version_range

"< 1.7.0"