Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Description states an authenticated attacker, so PR:L rather than PR:N; network low-complexity SSRF disclosing cloud credentials/metadata gives C:H with minor I:L and no availability impact.
Primary rating from Vendor (us).
CVSS VectorVendor: us
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker can exploit this to access internal resources including cloud metadata services (AWS/Azure/GCP IMDS), potentially exfiltrating IAM credentials and enumerating internal networks. The vulnerability can also be triggered through prompt injection in agentic workflows due to tool_mode=True exposure.
AnalysisAI
Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.6 lets an attacker coerce the application into making arbitrary HTTP requests via the legacy RSSReaderComponent (rss.py) and the SearXNG component (searxng.py), which fetch user-controlled URLs without validation. These two components bypass the SSRF protections that were added in version 1.9.3, allowing reach into internal resources such as AWS/Azure/GCP instance metadata (IMDS) to steal IAM credentials and enumerate internal networks. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the deployment use (or expose) the legacy RSSReaderComponent (rss.py) or the SearXNG component (searxng.py), the two components that bypass the SSRF validation added in 1.9.3 - any version 1.0.0 through 1.9.6 is in scope. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent toward a real, prioritizable issue but contain one notable conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Langflow user - or an attacker who has injected a malicious prompt into an agentic workflow where these components run as tools with tool_mode=True - configures an RSSReader or SearXNG component to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server makes the request from its own network position, bypassing the 1.9.3 SSRF controls, and returns the cloud IMDS response, exfiltrating temporary IAM credentials that are then used to pivot into the victim's cloud account. … |
| Remediation | Consult the IBM advisory at https://www.ibm.com/support/pages/node/7277995 for the fixed release; the input does not include an exact patched version, so no vendor-released fixed version is independently confirmed at time of analysis - apply the remediation IBM specifies for builds after 1.9.6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all deployments of IBM Langflow OSS versions 1.0.0 through 1.9.6 to identify systems running RSSReaderComponent (rss.py) or SearXNG component (searxng.py) in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40400
GHSA-rqjv-px3w-v3w6