Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Unauthenticated and network-reachable (AV:N/PR:N), but scope is limited to build-event data and per-job cancellation for a known job ID, so C:L and A:L rather than High.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.
AnalysisAI
Information disclosure and denial of service in IBM Langflow OSS 1.0.0 through 1.9.6 stem from missing authentication on the /api/v1/build_public_tmp/ endpoints, letting an unauthenticated attacker who supplies a valid job identifier read build event data or cancel running jobs. The flaw carries a CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and CWE-287 classification; there is no public exploit identified at time of analysis, and EPSS is low at 0.25% (17th percentile) with CISA SSVC recording no observed exploitation but flagging it as automatable.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Identify all Langflow 1.0.0-1.9.6 deployments (especially internet-facing); restrict network access to /api/v1/build_public_tmp/ endpoints to internal/VPN-only via firewall or WAF rules; inventory active jobs and build data classifications. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40401
GHSA-w636-w53p-5frh