Description
IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Published: 2026-06-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow Desktop versions 1.0.0 through 1.9.2 are vulnerable to a server‑side request forgery (SSRF) that permits a DNS rebinding bypass. The flaw allows an authenticated attacker to send unauthorized requests from the application, potentially enabling network enumeration or other internal attacks. The weakness is identified as CWE‑918, indicating improper validation of request origins.

Affected Systems

The affected product is IBM Langflow Desktop, older releases from version 1.0.0 up to and including 1.9.2 are compromised.

Risk and Exploitability

The CVSS score of 5.4 classifies the vulnerability as medium severity; no EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Based on the description it is inferred that the attacker must be authenticated to the application, and the attack vector is likely through DNS rebinding techniques that subvert the built‑in SSRF guard.

Generated by OpenCVE AI on June 11, 2026 at 20:37 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow Desktop to version 1.9.3 https://www.langflow.org/desktop .


OpenCVE Recommended Actions

  • Upgrade Langflow Desktop to version 1.9.3 to remove the SSRF flaw.
  • If upgrade cannot be performed immediately, restrict Langflow’s outbound network traffic to trusted internal addresses using firewall or proxy rules.
  • Ensure that DNS rebinding protection settings are active and that request origins are strictly validated to block untrusted domains.

Generated by OpenCVE AI on June 11, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow Desktop
CPEs cpe:2.3:a:langflow:langflow_desktop:*:*:*:*:*:*:*:*
Vendors & Products Langflow
Langflow langflow Desktop

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Description IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Title IBM Langflow Desktop 1.0.0 - 1.9.2 DNS Rebinding Bypasses SSRF Protection Allowing Access to Internal Services
First Time appeared Ibm
Ibm langflow Desktop
Weaknesses CWE-918
CPEs cpe:2.3:a:ibm:langflow_desktop:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_desktop:1.9.2:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Desktop
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Ibm Langflow Desktop
Langflow Langflow Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-11T15:46:25.100Z

Reserved: 2026-02-27T15:22:49.835Z

Link: CVE-2026-3341

cve-icon Vulnrichment

Updated: 2026-06-11T15:46:21.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-11T16:16:22.770

Modified: 2026-06-16T16:25:08.283

Link: CVE-2026-3341

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)