Langflow carries an actively exploited, CISA KEV-listed critical vulnerability (CVE-2026-21445, CVSS 9.1) that exposes conversation data and transaction histories to unauthenticated remote attackers, with confirmed exploitation in the wild. All instances running versions prior to 1.7.0.dev45 must be treated as immediately at risk; internet-facing deployments should be isolated behind authenticated access controls without delay. Upgrade to Langflow 1.7.0.dev45 or later is the required remediation, with post-patch validation of authentication enforcement on all affected API endpoints.