Langflow prior to version 1.9.2 contains a critical IDOR vulnerability that permits authenticated users to execute arbitrary AI workflows belonging to other accounts.

The vulnerability exists in the /api/v1/responses endpoint, where insufficient authorization checks allow an authenticated attacker to manipulate flow IDs. By supplying a victim's flow ID, an attacker can bypass access controls and trigger execution of workflows they do not own.

This flaw poses a significant risk to data integrity and confidentiality, as attackers can trigger unauthorized workflows, potentially leaking sensitive information or manipulating AI agent outputs. With a CVSS score of 9.9, this vulnerability could be exploited to cause widespread service abuse and cross-tenant data compromise.

Immediate Action: Upgrade all Langflow instances to version 1.9.2 or later immediately.

Proactive Monitoring: Review API access logs for suspicious requests to the /api/v1/responses endpoint, specifically looking for pattern deviations in flow ID requests.

Compensating Controls: Implement strict API gateway authentication and authorization policies to validate user ownership of resources before allowing workflow execution.

Public Exploit Available: Unknown

Organizations relying on Langflow for automated agent orchestration must apply the 1.9.2 patch immediately. The ability to execute arbitrary flows represents a major security breach point that must be remediated to ensure the integrity of the AI deployment environment.