Langflow - Missing Authorization on download_image endpoint

A critical authorization vulnerability exists within the Langflow platform, specifically impacting the download_image endpoint. The API path '/api/v1/files/images/{flow_id}/{file_name}' lacks necessary authentication or authorization checks. Consequently, unauthenticated users can download images belonging to any flow by knowing or guessing the flow ID and file name. This broken access control creates a significant risk of information disclosure, potentially exposing sensitive visualizations or proprietary data stored within the system. Although no specific threat actors or malware families are associated with this disclosure, the vulnerability enables easy data exfiltration. Affected organizations must prioritize remediation by applying vendor patches, enforcing strict access controls on all API endpoints, and monitoring logs for suspicious access patterns. Security teams should verify configuration settings. Immediate action is required to prevent unauthorized data access and maintain the confidentiality of assets managed within the Langflow environment.

Langflow - Missing Authorization on download_image endpoint The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name. Joshua Martinelle Fri, 03/27/2026 - 10:29

A critical authorization vulnerability exists within the Langflow platform, specifically impacting the download_image endpoint. The API path '/api/v1/files/images/{flow_id}/{file_name}' lacks necessary authentication or authorization checks. Consequently, unauthenticated users can download images belonging to any flow by knowing or guessing the flow ID and file name. This broken access control creates a significant risk of information disclosure, potentially exposing sensitive visualizations or proprietary data stored within the system. Although no specific threat actors or malware families are associated with this disclosure, the vulnerability enables easy data exfiltration. Affected organizations must prioritize remediation by applying vendor patches, enforcing strict access controls on all API endpoints, and monitoring logs for suspicious access patterns. Security teams should verify configuration settings. Immediate action is required to prevent unauthorized data access and maintain the confidentiality of assets managed within the Langflow environment. Langflow - Missing Authorization on download_image endpoint The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name. Joshua Martinelle Fri, 03/27/2026 - 10:29 Langflow - Missing Authorization on download_image endpoint The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name. Joshua Martinelle Fri, 03/27/2026 - 10:29