PyPI: langflow

CVE-2026-21445

Safety vulnerability ID: SFTY-20260102-97829

Safety legacy ID: pyup.io-83855

Affected versions of the langflow and langflow-base packages are vulnerable to Improper Authentication due to missing FastAPI authentication dependencies on sensitive monitoring routes. The src/backend/base/langflow/api/v1/monitor.py module defines the /api/v1/monitor/messages (get_messages), /api/v1/monitor/transactions (get_transactions), and /api/v1/monitor/messages/session/{session_id} (delete_messages_session) endpoints without dependencies=[Depends(get_current_active_user)], leaving these handlers reachable without any user identity or authorization checks.

PythonPyPINVDNVDGitHubGHSA
Created at: Jan 16, 2026Updated at: Jan 16, 2026

Overview

Langflow Missing Authentication on Critical API Endpoints

Advisory

Affected versions of the langflow and langflow-base packages are vulnerable to Improper Authentication due to missing FastAPI authentication dependencies on sensitive monitoring routes. The src/backend/base/langflow/api/v1/monitor.py module defines the /api/v1/monitor/messages (get_messages), /api/v1/monitor/transactions (get_transactions), and /api/v1/monitor/messages/session/{session_id} (delete_messages_session) endpoints without dependencies=[Depends(get_current_active_user)], leaving these handlers reachable without any user identity or authorization checks.

Affected Package

Affecting langflow package, versions
<1.7.1

Also affects

---

How to Fix

Upgrade
langflow
to
1.7.1
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more