Langflow - Application Logs Exposed to All Authenticated Users

A significant vulnerability has been identified in the Langflow application affecting its log router functionality. The '/logs' and '/logs-stream' endpoints are improperly configured, allowing any authenticated user to access the full application log buffer without requiring administrative privileges. This information disclosure flaw bypasses necessary privilege checks, such as 'is_superuser', relying solely on basic authentication. Consequently, low-privilege users could potentially access sensitive operational data, credentials, or internal system details stored within logs. This exposure increases the risk of further exploitation through credential harvesting or system mapping. Organizations utilizing Langflow should immediately audit their access controls and implement strict privilege verification for log access endpoints. Patching the application to enforce role-based access control (RBAC) on these specific routes is critical to prevent unauthorized data leakage and maintain the confidentiality of internal application processes.

Langflow - Application Logs Exposed to All Authenticated Users The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). Joshua Martinelle Fri, 03/27/2026 - 10:37

A significant vulnerability has been identified in the Langflow application affecting its log router functionality. The '/logs' and '/logs-stream' endpoints are improperly configured, allowing any authenticated user to access the full application log buffer without requiring administrative privileges. This information disclosure flaw bypasses necessary privilege checks, such as 'is_superuser', relying solely on basic authentication. Consequently, low-privilege users could potentially access sensitive operational data, credentials, or internal system details stored within logs. This exposure increases the risk of further exploitation through credential harvesting or system mapping. Organizations utilizing Langflow should immediately audit their access controls and implement strict privilege verification for log access endpoints. Patching the application to enforce role-based access control (RBAC) on these specific routes is critical to prevent unauthorized data leakage and maintain the confidentiality of internal application processes. Langflow - Application Logs Exposed to All Authenticated Users The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). Joshua Martinelle Fri, 03/27/2026 - 10:37 Langflow - Application Logs Exposed to All Authenticated Users The '/logs' and '/logs-stream' endpoints in the log router allow any authenticated user to read the full application log buffer. These endpoints only require basic authentication ('get_current_active_user') without any privilege checks (e.g., 'is_superuser'). Joshua Martinelle Fri, 03/27/2026 - 10:37