Summary
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
References
Related vulnerabilities
All Supply chain →- CRITICALGHSA-H3M5-97JQ-QJRF
OpenRemote Manager: removeAlarms cross-realm IDOR (bulk delete)
- HIGHGHSA-XHV3-Q4XX-349R
stistigmem-node: quarantine review surface exposes and mutates other tenants' quarantined facts (cross-tenant BOLA)
- HIGHGHSA-X26H-XMV8-GXF7
stigmem-node: RTBF tombstones are mis-attributed and suppress reads tenant-blind (cross-tenant BOLA)
- HIGHGHSA-HJWC-26PJ-V3PM
AgenticMail: Cross-agent task authorization bypass in AgenticMail API
- MEDIUMGHSA-JR45-52CW-69H5
NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
- MEDIUMGHSA-2FJJ-QQG8-FG7X
praisonai-platform: Authorization Bypass Through User-Controlled Key