CVE-2026-34046: Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check

## Vulnerability ### IDOR in `GET/PATCH/DELETE /api/v1/flow/{flow_id}` The `_read_flow` helper in `src/backend/base/langflow/api/v1/flows.py` branched on the `AUTO_LOGIN` setting to decide whether to filter by `user_id`. When `AUTO_LOGIN` was `False` (i.e., authentication was enabled), neither branch enforced an ownership check — the query returned any flow matching the given UUID regardless of who owned it. This exposed any authenticated user to: - **Read** any other user's flow, including embedded plaintext API keys - **Modify** the logic of another user's AI agents - **Delete** flows belonging to other users The vulnerability was introduced by the conditional logic that was meant to accommodate public/example flows (those with `user_id = NULL`) under auto-login mode, but inadvertently left the authenticated path without an ownership filter. --- ## Fix (PR #8956) The fix removes the `AUTO_LOGIN` conditional entirely and unconditionally scopes the query to the requesting user: ```diff - auth_settings = settings_service.auth_settings - stmt = select(Flow).where(Flow.id == flow_id) - if auth_settings.AUTO_LOGIN: - stmt = stmt.where( - (Flow.user_id == user_id) | (Flow.user_id == None) # noqa: E711 - ) + stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id) ``` All three operations — read, update, and delete — route through `_read_flow`, so the single change covers the full attack surface. A cross-user isolation test (`test_read_flows_user_isolation`) was added to prevent regression. --- ## Acknowledgements Langflow thanks the security researcher who responsibly disclosed this vulnerability: - **[@chximn-dt](https://github.com/chximn-dt)**