🔍AI RiskAtlas
← Real-world cases

CVE-2026-21445 — Langflow missing authentication on critical API endpoints, exploited in the wild

Disclosed vulnerability02 Jan 2026

Langflow is a widely-used open-source visual builder for AI agents and LLM workflows. CVE-2026-21445 (CWE-306, Missing Authentication for Critical Function; CVSS 8.8, High) is a broken-authentication flaw in which multiple critical Langflow API endpoints — reportedly the FastAPI monitor endpoints — were missing the standard authentication checks. Per the GitHub Security Advisory (GHSA-c5cp-vx83-jhqx), this allowed any unauthenticated user to access sensitive user conversation data and transaction/activity histories, and to perform destructive operations including deleting message sessions, all without valid credentials. The flaw affects langflow up to and including 1.7.0.dev44 (patched in 1.7.1) and langflow-base up to and including 0.6.9 (patched in 0.7.1). The advisory was published on 2 Jan 2026; per CrowdSec's tracking, a public proof-of-concept repository appeared by 4 Jan 2026, a public Nuclei detection template was merged on 30 Mar 2026, and first in-the-wild exploitation was reported around 9 Apr 2026; reporting indicates it was subsequently added to KEV-style catalogs. The case is notable because the exposed attack surface is the agent-builder control plane itself — the orchestration platform sitting in the agent build stack — rather than the model or an individual MCP server. (Scope is as described by the GitHub Advisory and CrowdSec: confirmed exposure covers conversation/transaction data and message-session deletion; broader claims such as direct API-key or arbitrary server-file exposure are NOT established for this CVE and likely belong to separate Langflow RCE issues. The candidate's link of this CVE to the 'Operation Bizarre Bazaar' LLM-endpoint campaign is not supported by the primary reporting on that campaign and has been omitted.)

More cases on Sensitive Data Leakage

AI RiskAtlas is an educational model of how GenAI & agentic systems work and fail. Architectures and payloads are illustrative and simplified for learning — not operational guidance. Real-world cases are summarised from public reporting.

Sources & further reading →·Built by Shi Yuan ↗