EUVD-2026-38245
GHSA-frvg-495w-m47v
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable HTTP service, auth bypass gives PR:N, no user interaction, Python isolation escape changes scope to the host yielding S:C with full host C/I/A impact.
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise
Articles & Coverage 2
AnalysisAI
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully compromise the host by bypassing authentication and abusing improper Python execution isolation. The maximum CVSS 10.0 score (AV:N/AC:L/PR:N/UI:N with scope change) reflects trivial network-based exploitation against any internet-exposed instance, though no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of IBM Langflow OSS 1.0.0 through 1.9.3, requiring only network reachability to the Langflow HTTP/API service. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Risk is at the top of the scale and should be treated as a priority-1 patch. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans the internet for Langflow's default HTTP port, sends a single unauthenticated request to the vulnerable endpoint that bypasses the auth check, and supplies a Python payload that is evaluated outside the intended isolation, yielding shell access as the Langflow service user. From there they pivot to harvest LLM provider API keys, database credentials, and stored flow definitions, then move laterally inside the cluster. … |
| Remediation | Patch available per vendor advisory - upgrade IBM Langflow OSS to the fixed release identified in IBM Security Bulletin https://www.ibm.com/support/pages/node/7277242 (exact fix version should be taken from that bulletin, as it is not enumerated in the CVE record). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Complete inventory of Langflow OSS deployments and assess internet exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in StarTree mcp-pinot versions 3.0.1 and earlier exposes the Model Context Protocol HTTP server on
Cross-user flow execution in Langflow versions prior to 1.9.1 allows any authenticated API user to run another user's fl
Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a co
Share
External POC / Exploit Code
Leaving vuln.today