CVE-2026-6598

MEDIUM

langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

Title source: cna

Description

A security vulnerability has been detected in langflow-ai langflow up to 1.8.3. The affected element is the function create_project/encrypt_auth_settings of the file src/backend/base/Langflow/api/v1/projects.py of the component Project Creation Endpoint. Such manipulation of the argument auth_settings leads to cleartext storage in a file or on disk. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References (4)

Core 4

Core References

Vdb Entry, Technical Description vdb-entry technical-description

VDB-358233 | langflow-ai langflow Project Creation Endpoint projects.py encrypt_auth_settings cleartext storage in file

https://vuldb.com/vuln/358233

Signature, Permissions Required signature permissions-required

VDB-358233 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/358233/cti

Third Party Advisory third-party-advisory

Submit #791921 | Langflow <= 1.8.3 CWE-311: Missing Encryption of Sensitive Data

https://vuldb.com/submit/791921

Exploit exploit

https://gist.github.com/chenhouser2025/77adb3486c06c635ae4b09a3eaf90213

Scores

CVSS v3 4.3

EPSS 0.0015

EPSS Percentile 4.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-312 CWE-313

Status published

Products (5)

langflow-ai/langflow 1.8.0

langflow-ai/langflow 1.8.1

langflow-ai/langflow 1.8.2

langflow-ai/langflow 1.8.3

pypi/langflow 0 - 1.9.1PyPI

Published Apr 20, 2026

Tracked Since Apr 20, 2026