Active exploitation reported for Langflow missing-auth monitoring APIs

TL;DR — CrowdSec is observing in-the-wild exploitation of Langflow endpoints that expose conversations and transactions without authentication, turning internet-exposed AI workflow servers into low-effort data exposure targets.

What happened

Langflow is an open-source platform for building and deploying AI agents and workflow automation via a visual interface, commonly placed close to prompts, internal tools, and business data integrations.

On April 20, 2026, CrowdSec reported it is tracking active exploitation of CVE-2026-21445, describing it as a critical authentication bypass in Langflow where multiple monitoring API endpoints are missing authentication controls.

Per the GitHub-reviewed advisory, the vulnerability is missing authentication for critical functions (CWE-306) across endpoints in src/backend/base/langflow/api/v1/monitor.py, including:

• GET /api/v1/monitor/messages
• GET /api/v1/monitor/transactions
• DELETE /api/v1/monitor/messages/session/{session_id}

CrowdSec’s report highlights that exploitation is active but selective (they observed 18 distinct attacking IPs over an April 9–21 window) and that the exposed data is business-relevant (conversation history, transaction history, and unauthorized deletion of message sessions), not just “debug telemetry.”

Missing-auth controls on monitoring endpoints is a recurring failure mode in “internal tool” web stacks; what makes this one operationally important is that CrowdSec is reporting real exploitation activity against a popular AI workflow platform.

Who is impacted

• Internet-exposed Langflow deployments running vulnerable releases of langflow or langflow-base.
• Environments where monitoring endpoints are reachable from untrusted networks (direct exposure, permissive ingress, or misconfigured reverse proxies).

Notes on scope ambiguity (as reported by CrowdSec): CrowdSec states the advisory lists 1.7.1 as patched, while also noting NVD version-boundary language ("versions prior to 1.7.0.dev45 are affected"). If your environment has version uncertainty, treat the system as exposed until you’ve verified the deployed artifact versions.

What to do now

• Follow vendor remediation guidance and patch. CrowdSec’s guidance is explicit:

  Patch: Upgrade Langflow immediately. The public advisory lists 1.7.1 as the patched release, while NVD notes that versions prior to 1.7.0.dev45 are affected. If you are running an exposed Langflow instance and there is any version uncertainty in your environment, move to the latest supported secure release rather than splitting hairs over the exact boundary.

• Inventory Langflow exposure:
  • identify all reachable Langflow instances (prod, dev, “quick docker runs”, PoCs)
  • confirm deployed package versions from deployed artifacts (not just dependency files)
• If you cannot patch immediately, reduce exploitability by removing direct internet exposure (CrowdSec recommendation):

  If you cannot patch immediately, do not leave Langflow directly exposed to the internet. Restrict access behind a VPN, identity-aware proxy, or tightly scoped allowlist.

• Detection/scoping:
  • review access logs for requests to /api/v1/monitor/messages, /api/v1/monitor/transactions, and /api/v1/monitor/messages/session/ from unexpected IPs
  • if you suspect data exposure or tampering, scope for unauthorized reads (conversation/transaction harvesting) and deletes (message session deletion), and rotate any secrets accessible to the Langflow host/runtime.