Skip to main content

IBM Langflow EUVDEUVD-2026-40400

| CVE-2026-10564 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-30 psirt@us.ibm.com GHSA-rqjv-px3w-v3w6
8.2
CVSS 3.1 · Vendor: us
Share

Severity by source

Vendor (us) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Description states an authenticated attacker, so PR:L rather than PR:N; network low-complexity SSRF disclosing cloud credentials/metadata gives C:H with minor I:L and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (us).

CVSS VectorVendor: us

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 20:34 vuln.today
CVE Published
Jun 30, 2026 - 20:17 nvd
HIGH 8.2

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker can exploit this to access internal resources including cloud metadata services (AWS/Azure/GCP IMDS), potentially exfiltrating IAM credentials and enumerating internal networks. The vulnerability can also be triggered through prompt injection in agentic workflows due to tool_mode=True exposure.

AnalysisAI

Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.6 lets an attacker coerce the application into making arbitrary HTTP requests via the legacy RSSReaderComponent (rss.py) and the SearXNG component (searxng.py), which fetch user-controlled URLs without validation. These two components bypass the SSRF protections that were added in version 1.9.3, allowing reach into internal resources such as AWS/Azure/GCP instance metadata (IMDS) to steal IAM credentials and enumerate internal networks. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Langflow or inject malicious prompt
Delivery
Configure RSSReader/SearXNG with metadata URL
Exploit
Server issues unvalidated request to 169.254.169.254
Execution
Bypass 1.9.3 SSRF controls
Persist
Receive IMDS IAM credentials
Impact
Pivot into cloud account and internal network

Vulnerability AssessmentAI

Exploitation Exploitation requires that the deployment use (or expose) the legacy RSSReaderComponent (rss.py) or the SearXNG component (searxng.py), the two components that bypass the SSRF validation added in 1.9.3 - any version 1.0.0 through 1.9.6 is in scope. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent toward a real, prioritizable issue but contain one notable conflict. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Langflow user - or an attacker who has injected a malicious prompt into an agentic workflow where these components run as tools with tool_mode=True - configures an RSSReader or SearXNG component to fetch http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server makes the request from its own network position, bypassing the 1.9.3 SSRF controls, and returns the cloud IMDS response, exfiltrating temporary IAM credentials that are then used to pivot into the victim's cloud account. …
Remediation Consult the IBM advisory at https://www.ibm.com/support/pages/node/7277995 for the fixed release; the input does not include an exact patched version, so no vendor-released fixed version is independently confirmed at time of analysis - apply the remediation IBM specifies for builds after 1.9.6. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all deployments of IBM Langflow OSS versions 1.0.0 through 1.9.6 to identify systems running RSSReaderComponent (rss.py) or SearXNG component (searxng.py) in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-3248 CRITICAL POC
9.8 Apr 07

Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling

CVE-2025-34291 CRITICAL POC
9.4 Dec 05

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2026-0770 CRITICAL POC
9.8 Jan 23

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes

CVE-2024-48061 CRITICAL POC
9.8 Nov 04

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the

CVE-2024-42835 CRITICAL POC
9.8 Oct 31

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

CVE-2024-37014 CRITICAL POC
9.8 Jun 10

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo

CVE-2026-21445 CRITICAL POC
9.1 Jan 02

Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us

CVE-2024-7297 HIGH POC
8.8 Jul 30

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged

CVE-2026-0768 CRITICAL
9.8 Jan 23

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the

CVE-2026-0769 CRITICAL
9.8 Jan 23

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted

CVE-2026-10134 CRITICAL
10.0 Jun 30

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary

Share

EUVD-2026-40400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy