CVE-2026-6597

Description

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS v3.1 Score

2.7

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

EPSS — Exploit Prediction

0.0001

Probability of exploitation

0.01%

Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-255 CWE-255

CWE-256 CWE-256

References

Other References

https://gist.github.com/chenhouser2025/b93261c6e651f14800a4f2e4365f357b https://vuldb.com/submit/791920 https://vuldb.com/vuln/358232 https://vuldb.com/vuln/358232/cti

Frequently Asked Questions

What is CVE-2026-6597? +

A weakness has been identified in langflow-ai langflow up to 1.8.3. Impacted is the function remove_api_keys/has_api_terms of the file src/backend/base/langflow/api/utils/core.py of the component Flow Using API. This manipulation causes unprotected storage of credentials. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. It has a CVSS v3.1 base score of 2.7 (LOW).

How severe is CVE-2026-6597? +

CVE-2026-6597 has a CVSS v3.1 score of 2.7 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0001, placing it in the 0th percentile for exploitation probability.

How do I check if I'm vulnerable to CVE-2026-6597? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2021-37000 7.7

Some Huawei wearables have a permission management vulnerability.

CVE-2025-11284 7.3

A vulnerability has been found in Zytec Dalian Zhuoyun Technology Central Authentication Service 3. Affected by this vulnerability is an …

CVE-2025-11649 7.0

A vulnerability was found in Tomofun Furbo 360 and Furbo Mini. The affected element is an unknown function of the …

CVE-2025-11666 6.7

A flaw has been found in Tenda RP3 Pro up to 22.5.7.93. This impacts an unknown function of the file …

CVE-2025-13187 5.3

A security vulnerability has been detected in Intelbras ICIP 2.0.20. Affected is an unknown function of the file /xml/sistema/acessodeusuario.xml. Such …

CVE-2025-15128 5.3

A vulnerability was detected in ZKTeco BioTime up to 9.0.3/9.0.4/9.5.2. This affects an unknown part of the file /base/safe_setting/ of …