CVE-2026-55423 - Vulnerability Details - OpenCVE

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

No data.

No data.

No data.

No data.

References

Link	Providers
https://github.com/langflow-ai/langflow/pull/10527
https://github.com/langflow-ai/langflow/pull/10528
https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276

History

Tue, 23 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0.
Title		Langflow: Logout button does not clear session
Weaknesses		CWE-613
References		https://github.com/langflow-ai/langflow/pull/10527 https://github.com/langflow-ai/langflow/pull/10528 https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-23T16:27:19.134Z

Updated: 2026-06-23T17:07:10.031Z

Reserved: 2026-06-16T21:48:43.126Z

Link: CVE-2026-55423

Vulnrichment

Updated: 2026-06-23T17:06:25.312Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-55423", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-16T21:48:43.126Z", "datePublished": "2026-06-23T16:27:19.134Z", "dateUpdated": "2026-06-23T17:07:10.031Z"}, "containers": {"cna": {"title": "Langflow: Logout button does not clear session", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276"}, {"name": "https://github.com/langflow-ai/langflow/pull/10527", "tags": ["x_refsource_MISC"], "url": "https://github.com/langflow-ai/langflow/pull/10527"}, {"name": "https://github.com/langflow-ai/langflow/pull/10528", "tags": ["x_refsource_MISC"], "url": "https://github.com/langflow-ai/langflow/pull/10528"}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"version": "< 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T16:27:19.134Z"}, "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0."}], "source": {"advisory": "GHSA-7hw8-6q6r-4276", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T17:06:31.440801Z", "id": "CVE-2026-55423", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:07:10.031Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-55423", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-06-16T21:48:43.126Z", "datePublished": "2026-06-23T16:27:19.134Z", "dateUpdated": "2026-06-23T17:07:10.031Z"}, "containers": {"cna": {"title": "Langflow: Logout button does not clear session", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-7hw8-6q6r-4276"}, {"name": "https://github.com/langflow-ai/langflow/pull/10527", "tags": ["x_refsource_MISC"], "url": "https://github.com/langflow-ai/langflow/pull/10527"}, {"name": "https://github.com/langflow-ai/langflow/pull/10528", "tags": ["x_refsource_MISC"], "url": "https://github.com/langflow-ai/langflow/pull/10528"}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"version": "< 1.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-23T16:27:19.134Z"}, "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in. This vulnerability is fixed in 1.7.0."}], "source": {"advisory": "GHSA-7hw8-6q6r-4276", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-55423", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-23T17:06:31.440801Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:06:25.312Z"}}]}}