Merge branch 'release-1.9.2' into docs-deployments-endpoints-add-telemetry

Author: mendonk

.secrets.baseline

@@ -7795,7 +7795,7 @@
         "filename": "src/lfx/src/lfx/base/models/unified_models/model_catalog.py",
         "hashed_secret": "d4c3d66fd0c38547a3c7a4c6bdc29c36911bc030",
         "is_verified": false,
-        "line_number": 306
+        "line_number": 307
       }
     ],
     "src/lfx/src/lfx/cli/serve_app.py": [
@@ -8245,5 +8245,5 @@
       }
     ]
   },
-  "generated_at": "2026-04-23T21:12:19Z"
+  "generated_at": "2026-04-24T19:11:48Z"
 }

docs/versioned_docs/version-1.9.0/Deployment/deployment-wxo.mdx

@@ -8,6 +8,14 @@ import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
 import PartialGlobalModelProviders from '@site/docs/_partial-global-model-providers.mdx';
 
+:::tip
+As of Langflow 1.9.2, the IBM watsonx Orchestrate deployments feature is behind a feature flag. To enable it, set the following environment variable before starting Langflow:
+
+```bash
+LANGFLOW_FEATURE_WXO_DEPLOYMENTS=true
+```
+:::
+
 Create a flow and deploy it to [IBM watsonx Orchestrate](https://www.ibm.com/docs/en/watsonx/watson-orchestrate/base?topic=getting-started-watsonx-orchestrate).
 
 Deploying a flow on IBM watsonx Orchestrate is different from the other Langflow deployment options.

docs/versioned_docs/version-1.9.0/Support/release-notes.mdx

@@ -112,6 +112,8 @@ For all changes, see the [Changelog](https://github.com/langflow-ai/langflow/rel
     This workflow packages a selected flow version for use in IBM watsonx Orchestrate.
     For more information, see [Deploy Langflow on watsonx Orchestrate](../Deployment/deployment-wxo.mdx).
 
+    As of Langflow 1.9.2, this feature is behind a feature flag. To enable it, set `LANGFLOW_FEATURE_WXO_DEPLOYMENTS=true` before starting Langflow.
+
 - **Policies** component (beta)
 
     The **Policies** component uses [ToolGuard](https://github.com/AgentToolkit/toolguard) to generate guard code from natural-language business policies and apply it to agent tools.

src/backend/base/langflow/api/utils/__init__.py

@@ -43,6 +43,7 @@
     build_graph_from_db,
     build_graph_from_db_no_cache,
     cascade_delete_flow,
+    scope_session_to_namespace,
     verify_public_flow_and_get_user,
 )
 
@@ -85,6 +86,7 @@
     "parse_value",
     "raise_error_if_astra_cloud_env",
     "remove_api_keys",
+    "scope_session_to_namespace",
     "validate_is_component",
     "verify_public_flow_and_get_user",
 ]

src/backend/base/langflow/api/utils/flow_utils.py

@@ -135,6 +135,26 @@ def compute_virtual_flow_id(identifier: str | uuid.UUID, flow_id: uuid.UUID) ->
     return uuid.uuid5(uuid.NAMESPACE_DNS, f"{identifier}_{flow_id}")
 
 
+def scope_session_to_namespace(session: str | None, namespace: str) -> str | None:
+    """Wrap a caller-supplied session ID under a (client_id, flow_id) namespace.
+
+    Mitigates CVE-2026-33017: an unauthenticated public-flow caller cannot
+    address a session that lives outside its own namespace through a Memory
+    component, regardless of whether the caller supplies a non-empty,
+    pre-prefixed, or empty string.
+
+    Returns ``None`` unchanged. Returns the value unchanged when it equals the
+    namespace or already starts with ``f"{namespace}:"``. Otherwise prefixes
+    it -- including the empty-string case, which becomes ``f"{namespace}:"``.
+    """
+    if session is None:
+        return session
+    prefix = f"{namespace}:"
+    if session == namespace or session.startswith(prefix):
+        return session
+    return f"{prefix}{session}"
+
+
 async def verify_public_flow_and_get_user(
     flow_id: uuid.UUID,
     client_id: str | None,

src/backend/base/langflow/api/v1/chat.py

@@ -31,6 +31,7 @@
     format_exception_message,
     get_top_level_vertices,
     parse_exception,
+    scope_session_to_namespace,
     verify_public_flow_and_get_user,
 )
 from langflow.api.v1.schemas import (
@@ -661,6 +662,9 @@ async def build_public_tmp(
     - The 'data' parameter is NOT accepted to prevent flow definition tampering
     - Public flows must execute the stored flow definition only
     - The flow definition is always loaded from the database
+    - Caller-supplied 'inputs.session' is namespaced under the (client_id,
+      flow_id) virtual flow ID so an unauthenticated caller cannot address a
+      session that lives outside its own namespace (CVE-2026-33017)
 
     The endpoint:
     1. Verifies the requested flow is marked as public in the database
@@ -703,6 +707,12 @@ async def build_public_tmp(
             authenticated_user_id=authenticated_user_id,
         )
 
+        # Defends CVE-2026-33017: scope caller session into the (client_id, flow_id) namespace.
+        if inputs is not None and inputs.session is not None:
+            scoped_session = scope_session_to_namespace(inputs.session, str(new_flow_id))
+            if scoped_session != inputs.session:
+                inputs = inputs.model_copy(update={"session": scoped_session})
+
         # Validate the stored flow data after the public-access boundary.
         # Public flows never accept client-supplied data.
         async with session_scope() as session:

src/backend/base/langflow/initial_setup/starter_projects/Document Q&A.json

@@ -1319,7 +1319,7 @@
                   },
                   {
                     "name": "langchain_core",
-                    "version": "1.3.1"
+                    "version": "1.3.2"
                   },
                   {
                     "name": "pydantic",

src/backend/base/langflow/initial_setup/starter_projects/Hybrid Search RAG.json

@@ -1521,7 +1521,7 @@
                   },
                   {
                     "name": "langchain_core",
-                    "version": "1.3.1"
+                    "version": "1.3.2"
                   },
                   {
                     "name": "lfx",

src/backend/base/langflow/initial_setup/starter_projects/Instagram Copywriter.json

@@ -2084,7 +2084,7 @@
                   },
                   {
                     "name": "langchain_core",
-                    "version": "1.3.1"
+                    "version": "1.3.2"
                   }
                 ],
                 "total_dependencies": 3

src/backend/base/langflow/initial_setup/starter_projects/Invoice Summarizer.json

@@ -1192,7 +1192,7 @@
                   },
                   {
                     "name": "langchain_core",
-                    "version": "1.3.1"
+                    "version": "1.3.2"
                   }
                 ],
                 "total_dependencies": 3