CVE-2026-33053 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any authenticated Langflow user can delete API keys belonging to other users due to a missing ownership check in the delete endpoint — a textbook IDOR. If your organization runs Langflow (on-prem or multi-tenant), treat all API keys as potentially compromised and upgrade to 1.9.0 immediately. This is a low-effort attack requiring only a valid account, making it a realistic insider or compromised-account threat.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	< 1.7.2	`1.7.2`
langflow	pip	—	No patch
langflow	pip	—	No patch

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix. 2. DETECT: Audit logs for DELETE requests to /api/v1/api_keys/{id} (or equivalent) where the requesting user does not own the key_id. Look for patterns of bulk deletions or deletions of keys belonging to privileged accounts. 3. WORKAROUND (if patching is delayed): Restrict Langflow access to trusted users only via network controls; disable self-service API key management if not essential. 4. ROTATE: After patching, rotate all API keys as a precaution — you cannot rule out exploitation prior to the patch. 5. MONITOR: Enable alerting on API key deletion events across all Langflow instances.

Classification

Supply Chain Code Execution DoS Framework Agent API AML.T0012 - Valid Accounts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0101 - Data Destruction via AI Agent Tool Invocation

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Access control for AI systems A.9.4 - AI system security

NIST AI RMF

GOVERN 6.1 - Policies for third-party AI components MANAGE 2.2 - Risk response and treatment

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Exploitation Scenario

An attacker registers or compromises any low-privilege account in a multi-tenant Langflow deployment. They enumerate API key IDs by making sequential or pattern-based requests to the delete endpoint (e.g., DELETE /api/v1/api_keys/1, /2, /3...). Because the backend performs no ownership verification, the server deletes keys belonging to admins and other users without error. The attacker can systematically revoke all API keys in the system, causing immediate outages across all AI workflows, agent pipelines, and LLM integrations — effectively a targeted DoS on the organization's entire AI infrastructure. A more targeted variant would selectively delete only admin API keys while preserving their own access.

Weaknesses (CWE)

CWE-639 Primary CWE-639 Authorization Bypass Through User-Controlled Key Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

March 20, 2026

Last Modified

March 20, 2026

First Seen

March 20, 2026