Skip to main content

IBM Langflow OSS CVE-2026-7664

| EUVD-2026-38281 CRITICAL
Improper Authentication (CWE-287)
2026-06-22 ibm GHSA-4pf4-j777-cgmf
IBM Authentication Bypass Langflow Oss
9.8
CVSS 3.1 · Vendor: ibm
Share

Severity by source

Vendor (ibm) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Streamable MCP endpoint is network-reachable and lacks auth enforcement, so AV:N/AC:L/PR:N/UI:N; unauthenticated MCP operations expose data and allow tool invocation, giving C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorVendor: ibm

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 22, 2026 - 16:01 vuln.today

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

AnalysisAI

Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected Model Context Protocol (MCP) project resources and invoke MCP operations through the Streamable MCP transport endpoint. The CVSS 9.8 rating reflects unauthenticated network exploitation with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis and the flaw is not currently listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Langflow MCP endpoint
Delivery
Send unauthenticated request to Streamable transport
Exploit
Bypass authorization on MCP routes
Execution
Enumerate MCP projects and resources
Persist
Invoke MCP operations and connected tools
Impact
Exfiltrate data or pivot via tool integrations
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to a Langflow OSS instance running version 1.0.0 through 1.8.4 with the Streamable MCP transport endpoint enabled and exposed; no credentials, user interaction, or non-default settings are needed because authorization is missing on that endpoint by default in vulnerable builds. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable bug exploitable without credentials, user interaction, or special conditions, and the CWE-287 classification plus the vendor's own description of unauthenticated access to MCP resources reinforce that reading. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Langflow OSS 1.0.0-1.8.4 instance over the network sends crafted HTTP requests directly to the Streamable MCP transport endpoint without supplying credentials, and the server processes them as if they were authorized. From there the attacker enumerates MCP projects, reads protected resources, and triggers MCP operations such as invoking connected tools or modifying project state, potentially pivoting into downstream systems wired into those tools. …
Remediation Patch available per vendor advisory at https://www.ibm.com/support/pages/node/7277243 - administrators should upgrade IBM Langflow OSS to the fixed release identified by IBM (exact fixed version not stated in the input data, so confirm directly from the advisory) and avoid running any 1.0.0-1.8.4 build on reachable networks. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running IBM Langflow OSS 1.0.0-1.8.4; take publicly accessible instances offline or restrict network access until patched. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-10561 CRITICAL
10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

Share

CVE-2026-7664 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy