Skip to main content

IBM Langflow CVE-2026-10129

| EUVDEUVD-2026-40405 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-30 psirt@us.ibm.com GHSA-33xg-qw74-fhr3
8.5
CVSS 3.1 · Vendor: us
Share

Severity by source

Vendor (us) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
8.5 HIGH

Authenticated flow-author (PR:L) over the network with low complexity; SSRF reaches other systems (S:C) and discloses sensitive data (C:H), limited integrity from forced requests (I:L), no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (us).

CVSS VectorVendor: us

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 20:30 vuln.today

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations. This allows attackers to access internal HTTP services, localhost endpoints, cloud metadata services, and private network resources that should be unreachable when SSRF protection is enabled. Successful exploitation can lead to disclosure of sensitive information including credentials, tokens, internal API responses, and administrative panel data.

AnalysisAI

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 lets an authenticated flow-author bypass the API Request component's SSRF protections by toggling the follow_redirects parameter and pointing it at a benign public URL that redirects to internal or localhost targets. Because only the initial URL is validated and redirect destinations are not re-checked, attackers can pivot to cloud metadata services, localhost endpoints, and private-network HTTP services to exfiltrate credentials, tokens, and admin-panel data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege flow-author account
Delivery
Create flow with API Request component
Exploit
Enable follow_redirects, set public redirector URL
Execution
Server follows redirect to internal/metadata address
Persist
Retrieve internal response (credentials/tokens)
Impact
Use leaked secrets for further access

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated account with the flow-author role (CVSS PR:L) and that the attacker enable the follow_redirects parameter on the API Request component - that toggle being on is the specific feature condition that triggers the bypass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 8.5) is internally consistent with the description: network-reachable, low-complexity, requires only low-privilege authenticated access (the flow-author role), no user interaction, with a scope change reflecting that the SSRF reaches systems beyond the Langflow process and high confidentiality impact from leaked credentials/metadata. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or phishes/compromises) a low-privilege flow-author account in a shared Langflow instance builds a flow with an API Request node, enables follow_redirects, and sets the URL to an attacker-controlled public server that 302-redirects to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Langflow validates only the benign public URL, follows the redirect server-side, and returns the cloud IAM credentials to the attacker. …
Remediation Upgrade to the IBM-fixed Langflow OSS release noted in the vendor advisory at https://www.ibm.com/support/pages/node/7277561 (a fixed version above 1.9.3 is expected but the exact patched build is not stated in the available data - confirm directly with the advisory before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all IBM Langflow OSS deployments to identify affected versions (1.0.0-1.9.3) and document current users with flow-author role. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-3248 CRITICAL POC
9.8 Apr 07

Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling

CVE-2025-34291 CRITICAL POC
9.4 Dec 05

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2026-0770 CRITICAL POC
9.8 Jan 23

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes

CVE-2024-48061 CRITICAL POC
9.8 Nov 04

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the

CVE-2024-42835 CRITICAL POC
9.8 Oct 31

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

CVE-2024-37014 CRITICAL POC
9.8 Jun 10

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo

CVE-2026-21445 CRITICAL POC
9.1 Jan 02

Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us

CVE-2024-7297 HIGH POC
8.8 Jul 30

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged

CVE-2026-0768 CRITICAL
9.8 Jan 23

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the

CVE-2026-0769 CRITICAL
9.8 Jan 23

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted

CVE-2026-10134 CRITICAL
10.0 Jun 30

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary

Share

CVE-2026-10129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy