SCA: security update for langflow (GHSA-rcjh-r59h-gq37)

medium Tenable Self-Hosted Container Security Plugin ID 443272

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the
"Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability,
depending on the exact flow configuration used. By making a flow public, public execution of the flow is
allowed. The execution request can contain a list of files that gets read by Langflow and fed into the
LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if
supported by the local configuration This vulnerability is fixed in 1.10.0. (CVE-2026-48520)

Solution

Update the langflow library and its related packages to version 1.10.0 or later.

See Also

https://github.com/advisories/GHSA-rcjh-r59h-gq37

Plugin Details

Severity: Medium

ID: 443272

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 6/16/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.3

Percentile: 51.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2026-48520

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/16/2026

Vulnerability Publication Date: 6/16/2026

Reference Information

CVE: CVE-2026-48520

cwe: CWE-73