Description
IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.
Published: 2026-06-30
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow OSS versions 1.0.0 through 1.9.6 suffer from a missing authentication flaw in the /api/v1/build_public_tmp/ API endpoints. An unauthenticated attacker can either read build event data or issue a cancellation request for a job using a valid job identifier. This lack of access control allows the disclosure of potentially sensitive build information and the interruption of legitimate build processes. The weakness is classified as CWE-287, Authentication Bypass by Spoofing.

Affected Systems

The affected product is IBM Langflow OSS deployed on user environments. The vulnerability spans all released versions from 1.0.0 up to 1.9.6 as recorded in the CNA product listings. The vendor explicitly identified these releases as vulnerable in the advisory.

Risk and Exploitability

The CVSS score of 8.2 places this issue in the High severity range, reflecting the impact on confidentiality and availability. EPSS information is currently unavailable, so the probability of exploitation remains undetermined but could be significant given the open nature of the endpoint. The vulnerability is not listed in the CISA KEV catalog, indicating no publicly known active exploitation at the time of writing. Attackers would require only the ability to send unauthenticated HTTP requests to the exposed API, making the attack vector likely to be the public network or a compromised internal workstation that can reach the service endpoint.

Generated by OpenCVE AI on June 30, 2026 at 21:22 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.0 https://pypi.org/project/langflow/


OpenCVE Recommended Actions

  • Upgrade IBM Langflow OSS to version 1.10.0 or later as recommended by IBM.
  • If an immediate upgrade is not feasible, block unauthenticated access to the /api/v1/build_public_tmp/ endpoint with firewall or reverse‑proxy rules, restricting traffic to trusted IP ranges.
  • Monitor logs for unauthorized job cancellation attempts and conduct a review of current job identifiers to detect any signs of misuse.

Generated by OpenCVE AI on June 30, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.
Title Unauthenticated Access to Private Flow Build Events and Cancellation in Langflow OSS
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-287
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.9.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}


Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:53:20.632Z

Reserved: 2026-06-01T15:10:29.825Z

Link: CVE-2026-10560

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses