CVE-2026-33053

Detection Method: Kolega.dev Deep Code Scan

| Attribute | Value |

|---|---|

| Location | src/backend/base/langflow/api/v1/api_key.py:44-53 |

| Practical Exploitability | High |

| Developer Approver | faizan@kolega.ai |

Description

The deleteapikeyroute() endpoint accepts an apikeyid path parameter and deletes it with only a generic authentication check (getcurrentactiveuser dependency). However, the deleteapikey() CRUD function does NOT verify that the API key belongs to the current user before deletion.

Affected Code

@router.delete("/{api_key_id}", dependencies=[Depends(auth_utils.get_current_active_user)])
async def delete_api_key_route(
    api_key_id: UUID,
    db: DbSession,
):
    try:
        await delete_api_key(db, api_key_id)
    except Exception as e:
        raise HTTPException(status_code=400, detail=str(e)) from e
    return {"detail": "API Key deleted"}

Evidence

In crud.py lines 44-49, deleteapikey() retrieves the API key by ID and deletes it without checking if the key belongs to the authenticated user. The endpoint also doesn't pass the current_user to the delete function for verification.

Impact

An authenticated attacker can enumerate and delete API keys belonging to other users by guessing or discovering their API key IDs. This allows account takeover, denial of service, and disruption of other users' integrations.

Recommendation

Modify the deleteapikey endpoint and function: (1) Pass currentuser to the delete function; (2) In deleteapikey(), verify apikey.userid == currentuser.id before deletion; (3) Raise a 403 Forbidden error if the user doesn't own the key. Example: if apikey.userid != userid: raise HTTPException(statuscode=403, detail='Unauthorized')

Notes

Confirmed IDOR vulnerability. The deleteapikeyroute endpoint at line 44-53 accepts an apikeyid and calls deleteapikey(db, apikeyid) without passing the currentuser. The CRUD function deleteapikey() at crud.py:44-49 retrieves the API key by ID and deletes it without verifying ownership (apikey.userid == currentuser.id). Compare this to the GET endpoint at lines 17-28 which correctly filters by userid, and the POST endpoint at lines 31-41 which correctly associates the key with userid. An authenticated attacker can delete any user's API keys by guessing/enumerating UUIDs. Fix: Pass currentuser to deleteapikey and verify apikey.userid == current_user.id before deletion, returning 403 if unauthorized.

Developer Review Notes

Does not accept current_user as a parameter. Allowing deletion of any user's API keys even without permissions.