Langflow’s Monitor APIs Left Wide Open (CVE-2026-21445)

Key Takeaways

• Affected critical API endpoints in Langflow lacked authentication checks, allowing unauthenticated access
• Endpoints exposed conversation data, transaction histories, and permitted deletion without authorization
• Impact includes privacy breach, data exposure, and destructive API calls
• Patch available in Langflow 1.5.1+

Critical Broken Authentication in Langflow Exposes AI Chats and Logs

In early January 2026, a GitHub-reviewed security advisory (GHSA-c5cp-vx83-jhqx) revealed that Langflow, an open-source tool for building and deploying AI agents and workflows, contained a critical broken authentication vulnerability affecting multiple monitor API endpoints. Because required authentication dependencies were missing, attackers could access sensitive conversation messages, transaction data, and issue unauthorized deletions. This flaw impacts deployments of Langflow up through versions earlier than 1.5.1 and represents a real confidentiality and integrity risk for affected installations. (GitHub)

What Happened

The vulnerability (tracked as CVE-2026-21445) arises from missing authentication checks on three FastAPI monitor endpoints in src/backend/base/langflow/api/v1/monitor.py, namely:

• GET /api/v1/monitor/messages
• GET /api/v1/monitor/transactions
• DELETE /api/v1/monitor/messages/session/{session_id}

These endpoints lacked the standard dependencies=[Depends(get_current_active_user)] authentication requirement mandatory elsewhere in the API surface. Without this guard, any HTTP request to these paths returned success, exposing sensitive conversation content, transaction history, and allowing deletion of session messages without verifying user identity.

The advisory was published and reviewed via GitHub’s security advisory database, and maintainers have since released a patched version (1.5.1+) enforcing authentication on these routes. 

How the Breach Happens

This is a classic broken authentication and authorization flaw (OWASP Top 10 A01:2021) exposed in an AI agent management platform. In systems like Langflow — used to orchestrate and monitor conversational agents — high-privilege operations (data retrieval and deletion) should always require proof of identity and authorization.

Because authentication dependencies were omitted, attackers can make unauthenticated HTTP API calls directly to the affected endpoints in any Langflow deployment where these paths are exposed, including internet-accessible or improperly firewalled installations.

Such unauthorized access can result in exfiltration of conversation histories, which may contain sensitive or proprietary AI training/interaction data, and destructive operations like session message deletion, undermining data integrity and audit trails. (secalerts.co)

Why It Matters

This vulnerability illustrates a significant risk in AI tooling ecosystems: administrative and monitoring APIs are often overlooked in security reviews, yet they can surface sensitive conversational data and transaction history tied to agent operations. In environments where Langflow manages AI agent workflows or holds logs containing PII or business data, this broken authentication could lead to:

• Unauthorized data exposure of AI conversations and transaction logs
• Privacy violations and potential regulatory compliance failures (e.g., GDPR, CCPA)
• Unauthorized data deletion, disrupting audit trails and forensic analysis
• Reconnaissance of system behavior, aiding further attacks

Patch application is strongly advised for any Langflow instance exposed beyond tightly controlled internal networks. (Tenable®)

PointGuard AI Perspective

The Langflow broken authentication flaw highlights two broad patterns important to enterprise AI security:

1. API security matters for AI tooling: Agent platforms expose APIs that correlate to sensitive operational data. AI governance should include API access controls and authentication posture reviews just like any other service layer.
2. Inventory and exposure mapping reduces surprises: Knowing where Langflow or similar AI agent management tools run and who can reach their APIs helps defenders prioritize patches and firewall rules.

PointGuard AI emphasizes continuous monitoring of AI agent platforms — including authentication enforcement on all management APIs — and runtime anomaly detection to flag unusual patterns (e.g., high-volume conversation retrievals or unauthorized deletion attempts). These controls become indispensable when tooling like Langflow is used in production or shared environments.

Incident Scorecard Details

Total AISSI Score: 6.8 / 10

Criticality = 7.5
Broken authentication exposes sensitive paths; attackers can harvest data or delete content.
Weighted 25%

Propagation = 6.0
Impact is conditional on API exposure; not automatic across all environments.
Weighted 20%

Exploitability = 7.0
No auth required; low complexity to invoke affected endpoints.
Weighted 15%

Supply Chain = 5.0
Open-source tooling with ecosystem usage; not widely embedded in core infrastructure.
Weighted 15%

Business Impact = 6.0
Sensitive conversation and transaction data could be exposed or destroyed in affected deployments.
Weighted 25%

Sources

• Langflow Missing Authentication on Critical API Endpoints (GitHub Advisory)
  https://github.com/advisories/GHSA-c5cp-vx83-jhqx
• CVE-2026-21445 Details – Tenable
  https://www.tenable.com/cve/CVE-2026-21445
• Langflow Broken Auth Vulnerability Overview – SecAlerts
  https://secalerts.co/vulnerability/GHSA-c5cp-vx83-jhqx
• CVE-2026-21445 – OpenCVE Vulnerability Details
  https://app.opencve.io/cve/CVE-2026-21445