What happened
Prior to Langflow 1.9.0, the /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on messages, sessions, build artifacts, and LLM transaction logs without verifying that the caller owns the target resource. CVSS 8.8 High, published 2026-06-23.
Why it matters
An authenticated attacker can read all LLM transaction logs from any user (revealing prompts, completions, and any sensitive data processed by AI flows), delete other users' sessions and build artifacts, and manipulate message history — undermining audit trails, compliance logging, and data privacy for the entire multi-user deployment.
Attack vector
Authenticated requests to /api/v1/monitor/* endpoints specifying victim user IDs or resource IDs; no ownership verification performed
Affected systems
Langflow < 1.9.0
Mitigation
Upgrade to Langflow 1.9.0. Advisory: https://github.com/langflow-ai/langflow/security/advisories/GHSA-9c59-2mvc-vfr8