EXECUTIVE SUMMARY:
The Langflow project’s API key deletion endpoint contained an IDOR (Insecure Direct Object Reference) flaw tracked as CVE‑2026‑33053, where an authenticated user could remove API keys without verifying whether the key belonged to them, potentially enabling unauthorized deletion of other users’ API keys. This vulnerability affects all langflow versions earlier than 1.7.2 and is resolved in version 1.7.2. The issue was identified in the delete_api_key route handler, which failed to confirm ownership before performing the delete action. Because the endpoint accepts a user‑controlled API key identifier without verifying ownership, attackers could enumerate and delete arbitrary keys. It is considered a high‑severity vulnerability with a CVSS score of 7.1, indicating a significant risk of disruption to service availability if exploited.
RECOMMENDATION:
We strongly recommend you update Langflow to version 1.7.2.
REFERENCES:
The following reports contain further technical details: