Skip to main content

IBM Langflow OSS CVE-2026-7663

| EUVDEUVD-2026-40384 CRITICAL
Improper Authorization (CWE-285)
2026-06-30 ibm GHSA-5wjx-cxqm-p8r4
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable MCP endpoint with no authentication or interaction (AV:N/AC:L/PR:N/UI:N); missing authorization yields unauthorized resource access and operation execution, supporting high confidentiality and integrity, with availability high retained per vendor rating.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 02, 2026 - 18:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 02, 2026 - 18:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 02, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
Jul 02, 2026 - 18:22 NVD
9.1 (CRITICAL) 9.8 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 19:53 vuln.today

DescriptionNVD

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

AnalysisAI

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Streamable MCP endpoint over network
Delivery
Send unauthenticated MCP request
Exploit
Bypass missing authorization check
Execution
Access protected MCP project resources
Impact
Execute MCP operations

Vulnerability AssessmentAI

Exploitation Exploitation requires network reach to the Langflow OSS Streamable MCP transport endpoint on an affected instance (versions 1.0.0-1.9.6) that has MCP project resources configured/exposed; per CVSS PR:N/UI:N no authentication or user interaction is needed, so any exposed endpoint is directly reachable by unauthenticated remote attackers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mostly aligned toward a genuine, high-priority network exposure but with a nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Langflow OSS instance's Streamable MCP endpoint over the network sends crafted requests to the transport without any credentials, and because authorization is not enforced, the server returns protected MCP project resources and executes MCP operations on the attacker's behalf. No user interaction or prior authentication is needed, so an internet-exposed instance can be abused directly; no public proof-of-concept has been identified at time of analysis.
Remediation Patch available per vendor advisory: IBM has released a fix, so upgrade Langflow OSS to the vendor-specified fixed release above 1.9.6 as documented at https://www.ibm.com/support/pages/node/7277570 (consult that advisory for the exact patched version, which is not enumerated in the available data). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Langflow OSS instances and identify those running versions 1.0.0-1.9.6; segregate affected systems from untrusted networks if patching cannot occur immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy