Langflow Unauthenticated Image Retrieval Vulnerability (CVE-2026-33484)
Langflow versions 1.0.0 through 1.8.1 are vulnerable to an unauthenticated image retrieval vulnerability (CVE-2026-33484) that allows attackers to download any user's uploaded images without credentials in multi-tenant deployments by accessing the `/api/v1/files/images/{flow_id}/{file_name}` endpoint.
Langflow, a tool used for building and deploying AI-powered agents and workflows, is susceptible to an unauthenticated image retrieval vulnerability. Specifically, versions 1.0.0 through 1.8.1 expose the /api/v1/files/images/{flow_id}/{file_name} endpoint without implementing any authentication or ownership validation. This oversight enables any unauthenticated user with knowledge of a flow_id and file_name to retrieve the corresponding image. In a multi-tenant Langflow deployment, this vulnerability permits an attacker who can discover or guess a valid flow_id (which the advisory notes can be leaked through other API responses) to download images uploaded by other users without providing any credentials. The vulnerability is identified as CVE-2026-33484, and a patch is available in version 1.9.0.
Attack Chain
- Attacker identifies a Langflow instance running a vulnerable version (1.0.0 - 1.8.1).
- Attacker discovers a valid
flow_id. This could occur through reconnaissance of API responses, error messages, or other information leakage. - Attacker identifies or guesses the
file_nameof an image associated with the discoveredflow_id. - Attacker crafts an HTTP GET request to the vulnerable endpoint:
/api/v1/files/images/{flow_id}/{file_name}, substituting the knownflow_idandfile_name. - The Langflow server, lacking authentication or ownership checks, processes the request.
- The server responds with HTTP 200 and includes the requested image in the response body.
- Attacker downloads the image.
- Attacker potentially repeats the process with different
flow_idandfile_namecombinations to exfiltrate additional images.
Impact
Successful exploitation of this vulnerability allows unauthorized access to potentially sensitive images uploaded by Langflow users. In a multi-tenant environment, this can lead to a significant breach of confidentiality, as attackers can access data belonging to other users without authentication. The observed damage includes unauthorized viewing and potential exfiltration of user data. The severity of the impact is dependent on the content of the images and the level of trust placed in the Langflow instance.
Recommendation
- Upgrade Langflow to version 1.9.0 or later to apply the patch for CVE-2026-33484.
- Deploy the Sigma rule
Detect Langflow Unauthenticated Image Retrieval Attemptto identify attempts to exploit this vulnerability in web server logs. - Monitor web server logs for requests to the
/api/v1/files/images/endpoint, especially those lacking valid authentication tokens or session cookies.
Detection coverage 2
Detect Langflow Unauthenticated Image Retrieval Attempt
highDetects attempts to retrieve images without authentication from the Langflow `/api/v1/files/images/` endpoint, indicating potential exploitation of CVE-2026-33484.
Detect Langflow API Flow ID Enumeration
lowDetects potential flow ID enumeration by monitoring for suspicious patterns in API requests.
Detection queries are available on the platform. Get full rules →