What happened
Prior to Langflow 1.9.2, the /api/v1/responses endpoint does not verify ownership of the flow_id parameter. Any authenticated attacker can specify a victim's flow ID in the request body to execute arbitrary flows belonging to other users. CVSS 9.9 Critical, published 2026-06-23.
Why it matters
An authenticated low-privilege Langflow user can execute any other user's AI agent workflow — including admin-owned flows with privileged tool access, database connections, and external API credentials. This breaks the entire multi-tenant isolation model of Langflow and allows lateral movement across the entire AI project space.
Attack vector
Authenticated POST to /api/v1/responses with a victim's flow_id in the request body; no ownership check is performed before executing the target flow
Affected systems
Langflow < 1.9.2
Mitigation
Upgrade to Langflow 1.9.2. PR fix: https://github.com/langflow-ai/langflow/pull/12832