Description
IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain a server‑side request forgery flaw that allows an authenticated user to instruct the application to send arbitrary network requests on behalf of the system, potentially exposing internal resources or facilitating further attacks.

Affected Systems

IBM Langflow Desktop 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.7.0, 1.8.0, 1.8.4 are affected; newer releases such as 1.9.0 and beyond are not vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity. No EPSS score is available, so the current exploitation likelihood is unknown, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely internal, requiring an authenticated session, as indicated by the description; this implies that safeguarding user credentials and limiting access are essential.

Generated by OpenCVE AI on May 1, 2026 at 04:55 UTC.

Remediation

Vendor Solution

IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-8-desktop If you are already using Langflow Desktop, upgrade in the application to version 1.9.0 To install Langflow Desktop for the first time, visit Download Langflow Desktop https://langflow.org/desktop .

OpenCVE Recommended Actions

  • Upgrade IBM Langflow Desktop to version 1.9.0 or later via the built‑in update mechanism or by downloading the latest installer from the official website.
  • Restrict authenticated access by ensuring only trusted users can log into the application, thereby limiting the ability to execute SSRF payloads.
  • If an upgrade cannot be performed immediately, isolate the application’s outbound traffic with a firewall rule that blocks unintended destinations, or disable the URL component in the application’s configuration to prevent it from making external HTTP requests.

Generated by OpenCVE AI on May 1, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Title Server-Side Request Forgery (SSRF) in Langflow URL Component
First Time appeared Ibm
Ibm langflow Desktop
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:langflow_desktop:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_desktop:1.8.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Desktop
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Ibm Langflow Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T16:38:23.079Z

Reserved: 2026-02-27T15:22:38.668Z

Link: CVE-2026-3340

cve-icon Vulnrichment

Updated: 2026-05-01T16:38:18.332Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T21:16:32.463

Modified: 2026-05-01T15:27:15.287

Link: CVE-2026-3340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses