CVE-2026-6599 - Vulnerability Details

- langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection

Description

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 5.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Model Context Protocol Configuration API allows a remote attacker to inject malicious data by manipulating the X‑Forwarded‑For HTTP header. The injection originates in the get_client_ip/install_mcp_config function of the mcp_projects module, which does not properly sanitize user input. This weakness is identified as CWE‑707 (Improper Restriction of Values for Generated Code) and CWE‑74 (Improper Handling of User Controlled Input). The exploitation yields code execution or other injection outcomes, with the public exploit already available, making the vulnerability practical for attackers.

Affected Systems

The affected product is Langflow version 1.8.3 and earlier, released by langflow‑ai. The vulnerability resides in src/backend/base/langflow/api/v1/mcp_projects.py within the Model Context Protocol Configuration API component. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 5.3 classifies this as a medium‑severity vulnerability. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that the exploitation probability is currently uncertain. However, the attack vector is remote, based on crafted HTTP headers that can be sent from any internet‑connected client, and the exploit is publicly documented. The lack of a vendor response suggests that a patch may not yet be released, elevating the risk for exposed installations.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

langflow-ai

langflow

affected

Version	Status	Constraints
`1.8.0`	affected	—
`1.8.1`	affected	—
`1.8.2`	affected	—
`1.8.3`	affected	—

No data.

Vendor Product Confidence Versions

Langflow

95%

Version	Status	Scheme	Platform
`1.8.0`	affected	semver	—
`1.8.1`	affected	semver	—
`1.8.2`	affected	semver	—
`1.8.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Langflow to a version newer than 1.8.3 once the vendor releases a patch.
Configure the application or reverse proxy to remove or strictly validate the X‑Forwarded‑For header before it reaches the API.
Deploy a web application firewall or equivalent rule set to block anomalous or non‑numeric values in the X‑Forwarded‑For header.
Monitor access logs for repeated attempts to exploit the header field.
Ensure that only trusted proxy servers are allowed to insert or modify the X‑Forwarded‑For header in production environments.

Generated by OpenCVE AI on April 20, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
https://vuldb.com/submit/791922
https://vuldb.com/vuln/358234
https://vuldb.com/vuln/358234/cti

History

Mon, 20 Apr 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection
First Time appeared		Langflow Langflow langflow
Weaknesses		CWE-707 CWE-74
CPEs		cpe:2.3:a:langflow:langflow::::::::
Vendors & Products		Langflow Langflow langflow
References		https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3 https://vuldb.com/submit/791922 https://vuldb.com/vuln/358234 https://vuldb.com/vuln/358234/cti
Metrics		cvssV2_0 `{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR'}` cvssV3_0 `{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Langflow Langflow

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T03:00:15.645Z

Updated: 2026-04-20T03:00:15.645Z

Reserved: 2026-04-19T13:47:06.263Z

Link: CVE-2026-6599

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T04:16:53.060

Modified: 2026-04-20T04:16:53.060

Link: CVE-2026-6599

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T06:00:07Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object