VulnWatch VulnWatch
← Back to dashboard
Medium github · GHSA-7hw8-6q6r-4276

Langflow: Logout button does not clear session

Published Jun 19, 2026 CVSS 6.1

Summary

The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.

Details

Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.

Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.

LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER: 
LANGFLOW_SUPERUSER_PASSWORD: 
LANGFLOW_SECRET_KEY: 
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"

PoC

Click Logout. Hit refresh to return to previous screen.

Impact

Users on shared computers may falsely believe they have terminated their session.

Patches

Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.

Affected AI Products

langflow
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.