Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Authenticated flow-author (PR:L) over the network with low complexity; SSRF reaches other systems (S:C) and discloses sensitive data (C:H), limited integrity from forced requests (I:L), no availability impact.
Primary rating from Vendor (us).
CVSS VectorVendor: us
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) protection bypass vulnerability in the API Request component. An authenticated attacker with low-level privileges (flow author role) can bypass SSRF protections by enabling the follow_redirects parameter and supplying a public URL that redirects to internal/localhost addresses. The vulnerability exists because the application validates only the initial URL but does not re-validate redirect destinations. This allows attackers to access internal HTTP services, localhost endpoints, cloud metadata services, and private network resources that should be unreachable when SSRF protection is enabled. Successful exploitation can lead to disclosure of sensitive information including credentials, tokens, internal API responses, and administrative panel data.
AnalysisAI
Server-Side Request Forgery in IBM Langflow OSS 1.0.0 through 1.9.3 lets an authenticated flow-author bypass the API Request component's SSRF protections by toggling the follow_redirects parameter and pointing it at a benign public URL that redirects to internal or localhost targets. Because only the initial URL is validated and redirect destinations are not re-checked, attackers can pivot to cloud metadata services, localhost endpoints, and private-network HTTP services to exfiltrate credentials, tokens, and admin-panel data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account with the flow-author role (CVSS PR:L) and that the attacker enable the follow_redirects parameter on the API Request component - that toggle being on is the specific feature condition that triggers the bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, base 8.5) is internally consistent with the description: network-reachable, low-complexity, requires only low-privilege authenticated access (the flow-author role), no user interaction, with a scope change reflecting that the SSRF reaches systems beyond the Langflow process and high confidentiality impact from leaked credentials/metadata. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or phishes/compromises) a low-privilege flow-author account in a shared Langflow instance builds a flow with an API Request node, enables follow_redirects, and sets the URL to an attacker-controlled public server that 302-redirects to http://169.254.169.254/latest/meta-data/iam/security-credentials/. Langflow validates only the benign public URL, follows the redirect server-side, and returns the cloud IAM credentials to the attacker. … |
| Remediation | Upgrade to the IBM-fixed Langflow OSS release noted in the vendor advisory at https://www.ibm.com/support/pages/node/7277561 (a fixed version above 1.9.3 is expected but the exact patched build is not stated in the available data - confirm directly with the advisory before deploying). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all IBM Langflow OSS deployments to identify affected versions (1.0.0-1.9.3) and document current users with flow-author role. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40405
GHSA-33xg-qw74-fhr3