Description
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
Published: 2026-04-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain an IDOR vulnerability that enables an unauthenticated user to retrieve images belonging to other accounts. The flaw arises from a user-controlled key that bypasses access controls, resulting in a direct exposure of private image data. The CVSS score of 7.5 indicates a high severity, reflecting the significant confidentiality impact of this vulnerability.

Affected Systems

The affected products are IBM Langflow Desktop, specifically all releases ranging from 1.0.0 up to and including 1.8.4. The associated CPE data confirms that version 1.0.0 and 1.8.4 are impacted, but the same vulnerability exists in all intermediate releases. Users running any of these versions should assess their deployment to confirm exposure.

Risk and Exploitability

The vulnerability can be exploited by simply issuing a request to the image download endpoint with an appropriate key; authentication is not required. This makes it a readily exploitable risk, especially for publicly accessible instances or environments where endpoints are exposed to the internet. Although an EPSS score is not available, the high CVSS rating and the lack of a KEV listing suggest that the risk is non‑negligible and should be mitigated promptly.

Generated by OpenCVE AI on May 1, 2026 at 04:56 UTC.

Remediation

Vendor Solution

IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-9-desktop If you are already using Langflow Desktop, upgrade in the application to version 1.9.0 To install Langflow Desktop for the first time, visit  Langflow Desktop https://langflow.org/desktop . Download https://langflow.org/desktop

OpenCVE Recommended Actions

  • Upgrade IBM Langflow Desktop to version 1.9.0 or newer as recommended by IBM.
  • Enable automatic updates within the Langflow Desktop application to receive future security patches as soon as they are released.
  • If an upgrade cannot be performed immediately, restrict network traffic to the image download endpoint or block external access to the Desktop to prevent unauthenticated users from exploiting the vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
Title Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint
First Time appeared Ibm
Ibm langflow Desktop
Weaknesses CWE-639
CPEs cpe:2.3:a:ibm:langflow_desktop:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_desktop:1.8.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Desktop
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Langflow Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T19:30:31.845Z

Reserved: 2026-03-20T14:01:11.389Z

Link: CVE-2026-4503

cve-icon Vulnrichment

Updated: 2026-05-01T14:01:03.813Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T21:16:33.667

Modified: 2026-05-01T15:27:15.287

Link: CVE-2026-4503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:00:12Z

Weaknesses