Skip to main content

IBM Langflow Desktop CVE-2026-4503

| EUVDEUVD-2026-26435 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-30 ibm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 21:45 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:15 euvd
EUVD-2026-26435
Analysis Generated
Apr 30, 2026 - 21:15 vuln.today
Patch released
Apr 30, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 30, 2026 - 20:48 nvd
HIGH 7.5

DescriptionCVE.org

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.

AnalysisAI

Unauthenticated remote disclosure of user-uploaded images in IBM Langflow Desktop 1.0.0-1.8.4 allows network attackers to enumerate and access other users' private images through predictable object references. With CVSS 7.5 (High) reflecting unauthenticated network exploitation, and EPSS data not provided, risk depends on whether installations expose the vulnerable endpoint to untrusted networks. No KEV listing or public exploit code identified at time of analysis, suggesting discovery through vendor security review rather than active exploitation.

Technical ContextAI

This is an Insecure Direct Object Reference (IDOR) vulnerability classified as CWE-639 (Authorization Bypass Through User-Controlled Key). IBM Langflow Desktop, a desktop application for the Langflow workflow orchestration platform, exposes an API endpoint or file access mechanism where image resources are referenced using user-controllable identifiers (likely sequential IDs, UUIDs, or filename-based keys). The application fails to verify that the authenticated session (or in this case, the requester) has authorization to access the requested image object. The CVSS vector AV:N indicates the vulnerable endpoint is network-accessible, suggesting Langflow Desktop runs a local web server or API service that accepts remote connections. The PR:N (No Privileges Required) metric confirms no authentication check occurs before serving image content, making this purely an authorization logic flaw where the application trusts client-supplied object references without server-side access control validation.

RemediationAI

Upgrade IBM Langflow Desktop to version 1.8.5 or later, which addresses the insecure direct object reference vulnerability per IBM's security advisory at https://www.ibm.com/support/pages/node/7271099. The exact patched version should be verified from the IBM advisory as the CVE record does not specify the fix release number. If immediate patching is not feasible, implement network-level access controls to restrict Langflow Desktop's web service ports to localhost (127.0.0.1) only, preventing remote exploitation-this mitigation breaks legitimate remote access scenarios and requires users to connect via VPN or SSH tunneling. Alternatively, deploy application-layer firewall rules permitting connections only from trusted IP ranges, though this introduces management overhead and does not eliminate risk from lateral movement by authenticated network attackers. Audit existing Langflow Desktop deployments to identify instances with network bindings beyond localhost, prioritizing remediation for externally exposed services.

Share

CVE-2026-4503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy