Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-accessible SSRF requiring low-privilege authentication (PR:L); limited confidentiality and integrity impact from unauthorized request forwarding; no availability impact.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
AnalysisAI
Server-side request forgery in IBM Langflow Desktop 1.0.0 through 1.9.2 enables authenticated network-based attackers to coerce the application into issuing arbitrary outbound HTTP requests on their behalf. The vulnerability, classified under CWE-918, can expose internal network topology by proxying requests through the server to otherwise inaccessible hosts, and may serve as a stepping stone for further lateral movement or credential harvesting from cloud metadata services. No public exploit code has been identified at time of analysis, and a vendor-released patch is available via IBM advisory.
Technical ContextAI
IBM Langflow Desktop is a visual, flow-based development environment for constructing AI and large-language-model pipelines. CWE-918 (Server-Side Request Forgery) arises when an application fetches a remote resource based on user-supplied input without sufficiently validating or restricting the target URL, allowing the application server itself to act as an unintended proxy. In this context, attacker-controlled URLs can be directed at internal RFC-1918 addresses, localhost services, or cloud instance metadata endpoints (e.g., 169.254.169.254), bypassing perimeter controls. The affected CPE is cpe:2.3:a:ibm:langflow_desktop:*:*:*:*:*:*:*:*, covering all Desktop releases from 1.0.0 through 1.9.2. The CVSS vector AV:N/AC:L/PR:L reflects that the attack surface is the network-accessible application interface and only low-privileged credentials are needed.
RemediationAI
Patch available per vendor advisory - apply the update referenced at https://www.ibm.com/support/pages/node/7275444 as the primary remediation step; the exact patched version number is not specified in the available input data and should be confirmed directly from that advisory. If immediate patching is not feasible, restrict outbound network egress from the host running IBM Langflow Desktop using host-based firewall rules or network-layer controls to deny connections to RFC-1918 address ranges, loopback, and cloud metadata IP ranges (e.g., 169.254.169.254, 100.100.100.200); note that this may interfere with legitimate external integrations in Langflow workflows. Additionally, enforce least-privilege access controls to limit which users can authenticate to the Langflow Desktop interface, reducing the pool of potential attackers.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36254
GHSA-wvfv-3qjh-qwxj