CVE-2026-21445 — Langflow missing authentication on critical API endpoints, exploited in the wild
Disclosed vulnerability02 Jan 2026Langflow is a widely-used open-source visual builder for AI agents and LLM workflows. CVE-2026-21445 (CWE-306, Missing Authentication for Critical Function; CVSS 8.8, High) is a broken-authentication flaw in which multiple critical Langflow API endpoints — reportedly the FastAPI monitor endpoints — were missing the standard authentication checks. Per the GitHub Security Advisory (GHSA-c5cp-vx83-jhqx), this allowed any unauthenticated user to access sensitive user conversation data and transaction/activity histories, and to perform destructive operations including deleting message sessions, all without valid credentials. The flaw affects langflow up to and including 1.7.0.dev44 (patched in 1.7.1) and langflow-base up to and including 0.6.9 (patched in 0.7.1). The advisory was published on 2 Jan 2026; per CrowdSec's tracking, a public proof-of-concept repository appeared by 4 Jan 2026, a public Nuclei detection template was merged on 30 Mar 2026, and first in-the-wild exploitation was reported around 9 Apr 2026; reporting indicates it was subsequently added to KEV-style catalogs. The case is notable because the exposed attack surface is the agent-builder control plane itself — the orchestration platform sitting in the agent build stack — rather than the model or an individual MCP server. (Scope is as described by the GitHub Advisory and CrowdSec: confirmed exposure covers conversation/transaction data and message-session deletion; broader claims such as direct API-key or arbitrary server-file exposure are NOT established for this CVE and likely belong to separate Langflow RCE issues. The candidate's link of this CVE to the 'Operation Bizarre Bazaar' LLM-endpoint campaign is not supported by the primary reporting on that campaign and has been omitted.)
Risks it illustrates
Practise the risk class — related scenarios
Interactive simulations of the risk class this case illustrates (not a re-enactment of this specific event).
A support email hides instructions — and the assistant obeys them
A speed optimisation becomes a cross-tenant listening device
Compromise the pipeline that builds agents, and every new worker is born malicious
Two doors to the same secret: reconstruct the model through its API, or just walk off with the weight file
The forensic record is itself the attack surface — an agent's log is poisoned, then quietly rewritten
A cost-saving open-weights swap quietly ships a model with its safety surgically removed
A screenshot that's harmless at full size becomes an order once the system shrinks it
A capable third-party model that behaves perfectly — until it sees the trigger
An attacker captures the agent's bearer token — and inherits its authority
A trusted MCP email tool quietly BCCs every message to an attacker
A forged peer registers on the agent directory — and the planner enlists it
An inbox summary quietly ships a secret to an attacker's server