CVE-2026-34046 is an authorization bypass vulnerability identified in langflow, a tool used for building and deploying AI-powered agents and workflows. The vulnerability exists in the _read_flow helper function located in src/backend/base/langflow/api/v1/flows.py. Prior to version 1.5.1, this function used conditional logic based on the AUTO_LOGIN setting to determine whether to filter flows by user ownership (user_id). When AUTO_LOGIN was set to False, meaning authentication was enabled, the function failed to enforce ownership checks, allowing any authenticated user to retrieve flows by UUID regardless of ownership. This flaw permitted unauthorized users to read other users' flows, which could contain sensitive information such as plaintext API keys, modify the logic of AI agents owned by others, or delete their flows. The root cause was the attempt to accommodate public/example flows (with user_id set to NULL) under auto-login mode, but this inadvertently left the authenticated path without proper filtering. The fix implemented in version 1.5.1 removes the AUTO_LOGIN conditional entirely and enforces unconditional scoping of flow queries to the requesting user, thereby restoring proper authorization controls. The vulnerability carries a CVSS 4.0 score of 8.7, reflecting its high severity due to network exploitability, low attack complexity, no required privileges beyond authentication, and no user interaction needed. Although no known exploits are reported in the wild, the impact of unauthorized access to AI workflows and embedded credentials is significant.

This vulnerability poses a serious risk to organizations using langflow for AI workflow management. Unauthorized access to other users' flows can lead to exposure of sensitive data such as plaintext API keys, which can be leveraged to compromise other systems or cloud services. Attackers can also modify or delete AI agent logic, potentially disrupting automated processes or causing incorrect AI behavior, leading to operational failures or business process corruption. The ability to manipulate AI workflows undermines data integrity and availability, while unauthorized read access compromises confidentiality. Given that exploitation requires only authenticated access, insider threats or compromised user accounts can easily leverage this flaw. Organizations relying on langflow for critical AI deployments may face data breaches, service disruptions, and loss of trust. The vulnerability's network accessibility and lack of user interaction requirements increase the likelihood of exploitation in multi-tenant or collaborative environments.

Organizations should immediately upgrade langflow to version 1.5.1 or later, where the vulnerability is fixed by enforcing strict user ownership checks on flow queries. Until patching is possible, implement compensating controls such as restricting access to langflow instances to trusted users only and monitoring user activity for unusual access patterns to other users' flows. Employ strong authentication mechanisms and consider multi-factor authentication to reduce risk from compromised credentials. Review and audit stored AI workflows for exposure of sensitive information like API keys and rotate any potentially leaked credentials. Limit the use of shared or public flows to minimize the attack surface. Additionally, conduct regular code reviews and penetration testing focused on authorization logic to detect similar flaws. Network segmentation and access controls can further reduce exposure of vulnerable langflow instances to untrusted networks.