Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Network-reachable SSRF needing an authenticated user (PR:L) and a hard-to-win DNS-rebinding race (AC:H); SSRF crosses trust boundary (S:C) exposing internal data (C:H) with limited integrity impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.
AnalysisAI
Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 allows a low-privileged authenticated user to coerce the server into making attacker-controlled internal requests by abusing the URL data-source component, where a Time-of-Check/Time-of-Use race condition lets a hostname resolve to a safe address during validation and a private/internal address at fetch time (classic DNS rebinding). Exploitation is rated CVSS 7.1 with a scope change, reflecting that the server can be made to reach internal services beyond its own trust boundary; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated, low-privileged account on the Langflow instance (PR:L) and the ability to invoke the URL data-source component with an attacker-supplied URL. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N, score 7.1) tells a consistent story: network-reachable but requiring some privileges (PR:L, an authenticated user able to invoke the URL component) and high attack complexity (AC:H) because the DNS-rebinding race must be won reliably. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privileged Langflow account, builds a flow using the URL component, and points it at a hostname they control whose DNS alternates between a public IP (passing validation) and an internal target such as the cloud metadata service. By winning the TOCTOU race via rapid DNS rebinding, the server fetches internal-only data (e.g. … |
| Remediation | Upgrade IBM Langflow OSS to a fixed release above 1.9.3 as specified in the IBM advisory at https://www.ibm.com/support/pages/node/7277560 (exact fixed version not stated in the available data - confirm against the advisory before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Langflow OSS deployments and identify running versions (1.0.0-1.9.3); restrict user access to essential personnel with business justification, disable public internet access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40402
GHSA-phxc-h9ch-q3gg