COOEY // HUBcompliance · community · intelligence

FAIL › dossier

Langflow vendor

5
failure events
0
zero-days
2
RCEs
3
on KEV
1
critical
85
worst shame

Dossier not yet built — the RAG curator builds one for players with ≥2 failure events (factory/dossier.py). The failure history and sentiment below are live.

Failure history 10 events

DateEventSevFlagsShameSummary
2026-05-21 CVE-2025-34291 high ⚡RCE ⌖KEV 85 Langflow's overly permissive CORS and SameSite=None cookie settings enable cross-origin credential theft leading to full system compromise.
2026-05-21 CVE-2025-34291 high ⚡RCE ⌖KEV 85 Langflow's overly permissive CORS and SameSite=None cookie settings enable cross-origin credential theft leading to full system compromise.
2026-03-25 CVE-2026-33017 high ⚡RCE ⌖KEV 65 Langflow allows unauthenticated public flow creation via code injection, enabling attackers to bypass security controls.
2026-03-25 CVE-2026-33017 high ⚡RCE ⌖KEV 65 Langflow allows unauthenticated public flow creation via code injection, enabling attackers to bypass security controls.
2026-07-07 CVE-2026-55255 high ⌖KEV 45 Langflow allows authenticated attackers to execute any user's flow by specifying a victim's flow ID, bypassing authorization controls.
2026-07-07 CVE-2026-55255 high ⌖KEV 45 Langflow allows authenticated attackers to execute any user's flow by specifying a victim's flow ID, bypassing authorization controls.
2026-06-30 CVE-2026-7663 critical 35 IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
2026-06-30 CVE-2026-7663 critical 35 IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
2026-06-30 CVE-2026-10560 high 25 IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial
2026-06-30 CVE-2026-10560 high 25 IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial