IBM Langflow OSS versions 1.0.0 through 1.9.3 have a flaw that permits an authenticated user with low privileges to circumvent SSRF protections. By enabling the follow_redirects option and supplying a publicly reachable URL that redirects to an internal or localhost address, the application validates only the original target and does not re‑validate the redirect destination. This flaw permits the attacker to retrieve internal HTTP endpoints, cloud metadata services, or other private network resources that should remain invisible, resulting in the disclosure of credentials, tokens, and administrative data.

The vulnerability affects IBM Langflow OSS, specifically all releases between version 1.0.0 and 1.9.3 inclusive. An attacker must be authenticated as a flow author or higher to manipulate the API Request component.

The CVSS score of 8.5 marks this issue as high severity. Although an EPSS score is not provided, the lack of noted exhaustion in the KEV catalog suggests a moderate to high likelihood that the flaw will be exploited in the wild. The attack vector is inferred to be external, whereby a public URL is used to trigger the internal request once the redirect resolution is allowed. Successful exploitation can expose sensitive information from the target application or its environment.