{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6597", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T13:46:59.741Z", "datePublished": "2026-04-20T02:30:14.803Z", "dateUpdated": "2026-04-20T02:30:14.803Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T02:30:14.803Z"}, "title": "langflow-ai langflow Flow Using API core.py has_api_terms credentials storage", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-256", "lang": "en", "description": "Unprotected Storage of Credentials"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-255", "lang": "en", "description": "Credentials Management"}]}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"version": "1.8.0", "status": "affected"}, {"version": "1.8.1", "status": "affected"}, {"version": "1.8.2", "status": "affected"}, {"version": "1.8.3", "status": "affected"}], "cpes": ["cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"], "modules": ["Flow Using API"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 2.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 2.7, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 3.3, "vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T15:52:19.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-d (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358232", "name": "VDB-358232 | langflow-ai langflow Flow Using API core.py has_api_terms credentials storage", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358232/cti", "name": "VDB-358232 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791920", "name": "Submit #791920 | Langflow <= 1.8.3 Information Disclosure", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b", "tags": ["exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6597", "lastModified": "2026-04-20T03:16:17.153", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "MULTIPLE", "availabilityImpact": "NONE", "baseScore": 3.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:M/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 6.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T03:16:17.153", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791920"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358232"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358232/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}, {"lang": "en", "value": "CWE-256"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T03:20:24.607255+00:00", "value": {"mitigation_remediation": ["Update Langflow to the latest release that contains a fix for unprotected credentials storage or apply any official vendor patch. ", "Remove or delete any stored credentials from the server and set strict file permissions to prevent unauthorized access. ", "Audit the configuration and code to ensure credentials are not written in clear text and that proper encryption and secure storage mechanisms are enforced. ", "Monitor logs for abnormal access to credential storage locations and investigate any unauthorized modifications."], "summary": {"action": "Patch Immediately", "impact": "Credential Exposure"}, "threat_synthesis": {"affected_systems": "Affected vendors and products include langflow-ai's Langflow application. Versions up to 1.8.3 are impacted. No newer versions are listed in the data; administrators should verify whether a fix has been released beyond 1.8.3.", "description_and_impact": "The vulnerability involves the Flow Using API component in langflow up to version 1.8.3, where the remove_api_keys/has_api_terms function stores credentials without protection. This flaw allows an attacker to store or retrieve API credentials in plain text, leading to credential disclosure. The vulnerability can be triggered remotely, and a public exploit exists, indicating that attackers can exploit it over the network.", "risk_and_exploitability": "The CVSS score is 5.1, placing the vulnerability in the medium severity range. EPSS is not available, and the issue is not listed in CISA's KEV catalog. However, the public availability of an exploit and the ability to trigger the flaw remotely constitute a non-negligible risk. The weakness is categorized as CWE-255 and CWE-256, both involving inadequate credential storage and protection."}}}}, "created": "2026-04-20T03:30:41.936453+00:00", "updated": "2026-04-20T03:30:41.936473+00:00", "vendors": []}