Known Vulnerabilities
CVE-2024-48061
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox.
CRITICAL
CVSS 9.8
Published Nov 04, 2024
CVE-2024-7297
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged attacker to gain super admin privileges by performing a mass assignment request on the '/api/v1/users' endpoint.
HIGH
CVSS 8.8
Published Jul 30, 2024
CVE-2024-37014
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
HIGH
CVSS 8.8
Published Jun 10, 2024