Description
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
Published: 2026-04-30
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a flaw in the Monitor API that allows any user with API access to supply a flow_id and retrieve transaction logs and vertex build data belonging to another user. The same mechanism can also delete a victim’s persisted vertex build data. The weakness arises from insufficient authorization checks on the API endpoint (CWE‑639). The consequence is a breach of confidentiality and integrity for other users’ data, potentially leading to service disruption. Based on the description, it is inferred that an attacker must have API access to exploit this flaw.

Affected Systems

The vulnerability affects IBM Langflow OSS deployments running versions 1.0.0 to 1.8.4. IBM does not list additional affected sub‑versions, so older major releases that are not explicitly mentioned are presumed unaffected. The issue is present in the open‑source edition of Langflow and is illustrated by the listed CPE entries for 1.0.0 and 1.8.4.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. The EPSS score of < 1% indicates a very low exploitation probability. The weakness is an authorization lapse (CWE‑639) that is easily exploitable by any user with API access; based on the description, it is inferred that the attacker must have API access to trigger the exploit. The vulnerability is not listed in the CISA KEV catalog, so it is presently not known to be widely exploited. The potential impact is significant for confidentiality and integrity of other users’ data.

Generated by OpenCVE AI on May 2, 2026 at 08:04 UTC.

Remediation

Vendor Solution

IBM recommends addressing the vulnerability now by upgrading to Langflow OSS 1.9.0 or newer:  https://github.com/langflow-ai/langflow

OpenCVE Recommended Actions

  • Upgrade to Langflow OSS 1.9.0 or newer as recommended by IBM
  • If an upgrade is not immediately possible, restrict or disable the Monitor API endpoint for users who do not require it
  • Audit existing build data and logs to ensure no sensitive information remains exposed, and delete any orphaned or unnecessary data

Generated by OpenCVE AI on May 2, 2026 at 08:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
Title Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-639
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.8.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-05-01T15:00:43.375Z

Reserved: 2026-04-17T17:59:10.380Z

Link: CVE-2026-6542

cve-icon Vulnrichment

Updated: 2026-05-01T15:00:25.233Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T22:16:26.340

Modified: 2026-05-01T15:27:15.287

Link: CVE-2026-6542

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:15:16Z

Weaknesses