ByteOS Network

langflow-ai

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2025-57760

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-8.8||HIGH

EPSS-Not Assigned

Published-25 Aug, 2025 | 16:22

Updated-25 Aug, 2025 | 20:34

Langflow Vulnerable to Privilege Escalation via CLI Superuser Creation

Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time.

Vendor-langflow-ai

Product-langflow

CWE ID-CWE-269

Improper Privilege Management

CVE-2025-3248

Assigner-VulnCheck

View Details

Assigner-VulnCheck

CVSS Score-9.8||CRITICAL

EPSS-92.66% / 99.74%

7 Day CHG~0.00%

Published-07 Apr, 2025 | 14:22

Updated-30 Jul, 2025 | 01:36

Known KEV||Action Due Date - 2025-05-26||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Langflow Unauth RCE

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Vendor-langflow langflow-ai Langflow

Product-langflow langflow Langflow

CWE ID-CWE-306

Missing Authentication for Critical Function

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')