THREE critical vulnerabilities have been detected in Langflow software, affecting versions prior to 1.9.2. The vulnerabilities include:
1. **CVE-2026-55255** - An Insecure Direct Object Reference (IDOR) bug allows attackers to hijack flows belonging to other users due to lack of user ID checks.
2. **CVE-2026-55447** - This flaw enables arbitrary file reads and remote code execution through improper extraction of TAR files, potentially exposing Langflow's secret keys.
3. **CVE-2026-55450** - Unauthenticated file uploads can exhaust server space, leading to Denial-of-Service (DoS) conditions.
Attackers could exploit these vulnerabilities to gain access to sensitive data and impact AI functionalities. Administrators are urged to update to versions 1.9.1 or 1.9.2 immediately to mitigate risks.