Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable MCP endpoint with no authentication or interaction (AV:N/AC:L/PR:N/UI:N); missing authorization yields unauthorized resource access and operation execution, supporting high confidentiality and integrity, with availability high retained per vendor rating.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
AnalysisAI
Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach protected MCP (Model Context Protocol) project resources and invoke MCP operations through the Streamable MCP transport endpoint. Because the flaw bypasses authentication entirely on a network-facing endpoint and is rated CVSS 9.8 with full confidentiality, integrity, and availability impact, any exposed Langflow instance is at risk. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reach to the Langflow OSS Streamable MCP transport endpoint on an affected instance (versions 1.0.0-1.9.6) that has MCP project resources configured/exposed; per CVSS PR:N/UI:N no authentication or user interaction is needed, so any exposed endpoint is directly reachable by unauthenticated remote attackers. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are mostly aligned toward a genuine, high-priority network exposure but with a nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a Langflow OSS instance's Streamable MCP endpoint over the network sends crafted requests to the transport without any credentials, and because authorization is not enforced, the server returns protected MCP project resources and executes MCP operations on the attacker's behalf. No user interaction or prior authentication is needed, so an internet-exposed instance can be abused directly; no public proof-of-concept has been identified at time of analysis. |
| Remediation | Patch available per vendor advisory: IBM has released a fix, so upgrade Langflow OSS to the vendor-specified fixed release above 1.9.6 as documented at https://www.ibm.com/support/pages/node/7277570 (consult that advisory for the exact patched version, which is not enumerated in the available data). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Langflow OSS instances and identify those running versions 1.0.0-1.9.6; segregate affected systems from untrusted networks if patching cannot occur immediately. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Langflow Oss
View allUnauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b
Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected
Credential disclosure in IBM Langflow OSS versions 1.0.0 through 1.10.0 stems from a weak, reversible key-derivation mec
Insecure direct object reference (IDOR) in IBM Langflow OSS 1.0.0 through 1.9.1 allows an authenticated user to read or
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40384
GHSA-5wjx-cxqm-p8r4