Zero Day MonitorZDM

← Back to list

6.1

CVE-2026-55423PATCHED

langflow · langflow

Langflow: Logout button does not clear session

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.

Affected Products

Vendor	Product	Versions
langflow	langflow	< 1.7.0, 1.6.x

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	langflow	cert_advisory	90%

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276(x_refsource_CONFIRM)
https://github.com/langflow-ai/langflow/pull/10527(x_refsource_MISC)
https://github.com/langflow-ai/langflow/pull/10528(x_refsource_MISC)

Related News (2 articles)

Tier C

VulDB4d ago

CVE-2026-55423 | langflow-ai langflow up to 1.6.x session expiration (GHSA-7hw8-6q6r-4276)

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [hoch] Langflow: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.16.1 HIGH

VectorCVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

langflow@1.7.1

CWECWE-613

PublishedJun 19, 2026

Last enriched4d agov2

Tags

GHSA-7hw8-6q6r-4276pip

Trending Score31

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-55255EXPKEV

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

CRITICALCVE-2026-48519EXP

Langflow: Unauthenticated RCE in Shareable Playgrounds

MEDIUMCVE-2026-55446EXP

Langflow: Unauthenticated DoS through multipart form boundary file upload

CRITICALCVE-2026-42867EXP

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

HIGHCVE-2026-55450EXP

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 19, 2026

Discovered by ZDM

Jun 19, 2026

Patch Available

Jun 23, 2026

Updated: affectedVersions, severity

Jun 23, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated affected versions to include 1.6.x, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverity

via VulDB

v18d ago

Initial creation