Langflow is a platform for building and deploying AI-powered agents and workflows. Versions 1.0.0 through 1.8.1 contain a critical security flaw in the image-serving API endpoint /api/v1/files/images/{flow_id}/{file_name}. This endpoint does not enforce any authentication or authorization checks before serving image files. Because flow_id values are UUIDs that can be leaked or inferred from other API responses, an attacker can enumerate or guess these identifiers to access images uploaded by other users. This represents an improper access control vulnerability (CWE-284) combined with information exposure (CWE-639) and missing authorization checks (CWE-862). The vulnerability allows unauthenticated remote attackers to retrieve sensitive image files, violating confidentiality. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects that exploitation requires no privileges or user interaction, is remotely exploitable over the network, and results in high confidentiality impact without affecting integrity or availability. No known exploits are currently reported in the wild. The issue is resolved in langflow version 1.9.0 by adding proper authentication and ownership verification to the endpoint.

The primary impact of this vulnerability is unauthorized disclosure of sensitive image files uploaded by users in multi-tenant langflow deployments. Attackers can access private images without authentication, potentially exposing confidential or proprietary information embedded in these images. This breach of confidentiality can lead to privacy violations, intellectual property theft, or leakage of sensitive business data. Since the vulnerability does not affect integrity or availability, the threat is limited to data exposure. However, the ease of exploitation (no authentication or user interaction required) and the widespread use of langflow in AI workflow deployments increase the risk. Organizations using affected versions may face reputational damage, compliance violations, and potential financial losses if sensitive data is exposed. Multi-tenant cloud environments and managed service providers running langflow are particularly at risk due to shared infrastructure and multiple users.

1. Upgrade langflow to version 1.9.0 or later immediately, as this version contains the patch that enforces authentication and ownership checks on the vulnerable endpoint. 2. If upgrading is not immediately possible, implement network-level access controls to restrict access to the /api/v1/files/images/ endpoint only to trusted users or internal networks. 3. Monitor API logs for unusual access patterns or repeated requests to image endpoints with varying flow_id values, which may indicate enumeration attempts. 4. Review and audit other API endpoints for similar improper access control issues to prevent further data leakage. 5. Educate developers and administrators about secure API design principles, emphasizing the need for strict authentication and authorization on all resource-serving endpoints. 6. Consider implementing rate limiting and anomaly detection on API endpoints to reduce the risk of automated attacks. 7. Conduct regular security assessments and penetration testing focused on multi-tenant access controls in langflow deployments.