Missing Authentication for Critical Function Affecting lfx package, versions [,0.4.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
Exploit Maturity
Proof of Concept
EPSS
0.31% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authentication for Critical Function vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-LFX-17400159
  • published22 Jun 2026
  • disclosed17 Jun 2026
  • creditOri Lahav

Introduced: 17 Jun 2026

NewCVE-2026-55450  (opens in a new tab)
CWE-306  (opens in a new tab)

How to fix?

Upgrade lfx to version 0.4.2 or higher.

Overview

lfx is a lfx is a command-line tool for running Langflow workflows. It provides two main commands: serve and run.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the create_upload_file function. An attacker can exhaust server disk space and obtain sensitive file system information by uploading arbitrary files without authentication and receiving absolute file paths in the response.

CVSS Base Scores

version 4.0
version 3.1