CVE-2026-33497

← CVEs

HIGH 7.5

Published

2026-03-24

Last Modified

2026-03-24

Affected Apps

Affected Devices

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.

Affected Applications in Environment 5

7 devices

9 devices

1 device

2 devices

1 device

Affected Devices 19

118B-13 Windows 118B-14 Windows 118B-15 Windows 118B-18 Windows DESKTOP-2F2IHK3 Windows DPADVS-L72018DT Windows DPADVS-L72115D7 Windows DPAGNF-A7412369 Windows DPAGNF-A741236B Windows DPAGNF-A805193T Windows DPATHL-835405G Windows DPATHL-83540MD Windows DPBIOL-MITZI Windows DPELED-D81938YB Windows DPEMAE-92503DF Windows FACHVAC-HP640-2 Windows FACHVAC-HP640-4 Windows FACHVAC-HP640-5 Windows FACHVAC92505LP Windows

References 1

https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7