Langflow’s CVE-2026-21445 is a CISA KEV-confirmed authentication bypass (CVSS 9.1, CWE-306) affecting all versions prior to 1.7.0.dev45, allowing unauthenticated attackers to read conversation and transaction data or perform destructive deletions via exposed API endpoints. The vulnerability is listed in both CISA KEV and VulnCheck KEV, confirming active exploitation, and poses particular risk to organizations using Langflow to build or operate AI agents where data confidentiality and workflow integrity are critical. Immediate action is to restrict or take offline all pre-1.7.0.dev45 instances and upgrade to the patched release; post-patch, validate that all API endpoints return 401/403 to unauthenticated requests.