Detections
Analytics

Langflow Unauthenticated Access

critical Nessus Plugin ID 304684

Synopsis

The remote host is running an AI application builder that allows unauthenticated superuser access.

Description

Langflow, a visual framework for building multi-agent AI applications, is running on the remote host with automatic login enabled (LANGFLOW_AUTO_LOGIN=True, the default). Nessus confirmed this by obtaining a superuser access token from the /api/v1/auto_login endpoint without any credentials.

Langflow's default configuration is effectively unauthenticated remote code execution. Because Langflow's core purpose is executing user-defined Python code in flow nodes — with no sandbox — any user with API access can run arbitrary code on the host.

Additional insecure defaults compound the risk:

 - CORS allows all origins, enabling cross-site exploitation from any domain

 - SSRF protection is disabled, allowing flows to reach internal network services

 - The full OpenAPI specification is publicly accessible, mapping the entire attack surface

An unauthenticated attacker with network access can:

 - Obtain a superuser token and execute arbitrary Python code on the host via flow nodes

 - Access and exfiltrate stored credentials and API keys for connected services (LLM providers, cloud databases, internal APIs)

 - Create, modify, or delete AI flows, injecting malicious logic into production pipelines

 - Pivot into the internal network via SSRF or direct code execution, using the host as a foothold

 - Manage users and escalate access across the platform

Solution

Set LANGFLOW_AUTO_LOGIN=False and configure authentication with a non-default superuser password.
Place Langflow behind a reverse proxy that enforces authentication and restricts access. Enable SSRF protection and restrict CORS origins. Do not expose Langflow directly to untrusted networks.

See Also

https://www.langflow.org/

Plugin Details

Severity: Critical

ID: 304684

File Name: langflow_unauth_access.nbin

Version: 1.1

Type: Remote

Published: 4/2/2026

Updated: 4/2/2026

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Default auto_login grants unauthenticated superuser access. langflow executes arbitrary python in flow nodes with no sandbox, making this effectively unauthenticated rce with full host compromise and lateral movement potential.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4

Risk Factor: Critical

Base Score: 10

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

CPE: cpe:/a:langflow:langflow

Required KB Items: installed_sw/Langflow

Reference Information

CWE: 284