CVE-2026-5022 MEDIUM

CVE-2026-5022: Langflow - Missing Authorization on download_image Endpoint

Vendor Langflow-Ai
Product langflow
Weakness CWE-862 · Missing authorization
Published March 27, 2026
Last update March 27, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The '/api/v1/files/images/{flow_id}/{file_name}' endpoint does not enforce any authentication or authorization checks, allowing any unauthenticated user to download images belonging to any flow by knowing (or guessing) the flow ID and file name.

Key dates

02Disclosure timeline

March 27, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

04Related CVE