Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable config feature exploitable by any low-privileged authenticated user (PR:L), no user interaction, yielding full host code execution, so C/I/A all High.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow remote code execution due to incomplete validation enforcement on MCP server configuration files.
AnalysisAI
Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated remote attacker to run arbitrary code because validation is not fully enforced on Model Context Protocol (MCP) server configuration files, permitting injection of attacker-controlled commands or server definitions. IBM has published a fix advisory (node/7278932). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network access to the Langflow OSS application and (2) an authenticated account with at least low privileges (CVSS PR:L), specifically the ability to create or modify an MCP server configuration file/definition - that MCP configuration path is the exact feature whose validation is incompletely enforced. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine priority for anyone running an exposed or multi-user Langflow instance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged account on an internet- or intranet-reachable Langflow instance submits or edits an MCP server configuration containing a malicious command definition; because validation is incompletely enforced, Langflow spawns the attacker's command and executes arbitrary code on the host. Given AV:N/AC:L, this can be driven remotely with a single crafted API request and no user interaction. … |
| Remediation | Patch available per vendor advisory - apply the update referenced in IBM's advisory at https://www.ibm.com/support/pages/node/7278932; the exact fixed version was not included in the provided data, so obtain it directly from that advisory (the affected band ends at 1.10.0, so upgrade to the first release IBM identifies as fixed). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all IBM Langflow OSS instances across production and non-production environments, confirm current versions, and verify patch availability from IBM advisory node/7278932. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Langflow Oss
View allUnauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-
Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows attackers to run arbitrary code by planting a mali
Authenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 lets any logged-in user run arbitrary Pytho
Privilege escalation to remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated user to e
Arbitrary file write in IBM Langflow OSS 1.0.0 through 1.10.0 lets an attacker who controls an external HTTP server plan
Arbitrary Python code execution in IBM Langflow OSS 1.0.0 through 1.10.0 (Langflow versions up to 1.9.2) allows authenti
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b
Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected
Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach p
Unauthenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 stems from broken webhook authentication
Share
External POC / Exploit Code
Leaving vuln.today