GHSA-7hw8-6q6r-4276MediumCVSS 6.1

Langflow: Logout button does not clear session

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The logout button does not clear the session. The previous user stays logged in unless another user explicitly logs in.

Details

Not in auto login mode. Hosted on localhost. access_token_lf remains present in both Local Storage and Cookies. refresh_token_lf remains present in Cookies.

Root cause: the /logout endpoint deleted the authentication cookies without matching the original httponly/samesite/secure/domain parameters, so the browser kept them; additionally the frontend did not clear the auth cookies on logout.

LANGFLOW_AUTO_LOGIN: "False"
LANGFLOW_SUPERUSER: <set>
LANGFLOW_SUPERUSER_PASSWORD: <set>
LANGFLOW_SECRET_KEY: <set>
LANGFLOW_NEW_USER_IS_ACTIVE: "False"
LANGFLOW_ENABLE_SUPERUSER_CLI: "False"

PoC

Click Logout. Hit refresh to return to previous screen.

Impact

Users on shared computers may falsely believe they have terminated their session.

Patches

Fixed in 1.7.0 (PRs #10527 and #10528). The logout endpoint now deletes the auth cookies using the same parameters they were created with, and the frontend clears the auth cookies on logout. Upgrade to 1.7.0 or later.

🎯 Affected products1

  • pip/langflow:< 1.7.0

🔗 References (4)