CVE-2026-33053

← CVEs

HIGH 8.8

Published

2026-03-20

Last Modified

2026-03-20

Affected Apps

Affected Devices

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the delete_api_key_route() endpoint accepts an api_key_id path parameter and deletes it with only a generic authentication check (get_current_active_user dependency). However, the delete_api_key() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Affected Applications in Environment 5

7 devices

9 devices

1 device

2 devices

1 device

Affected Devices 19

118B-13 Windows 118B-14 Windows 118B-15 Windows 118B-18 Windows DESKTOP-2F2IHK3 Windows DPADVS-L72018DT Windows DPADVS-L72115D7 Windows DPAGNF-A7412369 Windows DPAGNF-A741236B Windows DPAGNF-A805193T Windows DPATHL-835405G Windows DPATHL-83540MD Windows DPBIOL-MITZI Windows DPELED-D81938YB Windows DPEMAE-92503DF Windows FACHVAC-HP640-2 Windows FACHVAC-HP640-4 Windows FACHVAC-HP640-5 Windows FACHVAC92505LP Windows

References 1

https://github.com/langflow-ai/langflow/security/advisories/GHSA-rf6x-r45m-xv3w