Description
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
Published: 2026-06-30
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow OSS versions 1.0.0 to 1.9.6 contain a flaw that allows unauthenticated users to gain unauthorized access to other users' MCP project resources and trigger MCP operations. The weakness is an improper authorization enforcement in the Streamable MCP transport endpoint, classified as CWE‑285. Successful exploitation results in confidentiality and integrity compromise of protected resources and execution of privileged operations.

Affected Systems

The affected software is IBM Langflow OSS, originally released in version 1.0.0 and all releases up to, and including, 1.9.6. Users are advised to check the semantic versioning of installed packages to determine whether they fall within the vulnerable range.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating critical severity. EPSS score is not available, but the lack of a KEV listing does not diminish the likelihood of exploitation given the remote nature of the attack. Attackers can reach the Streamable MCP transport endpoint over the network, so the vulnerability is exploitable by anyone with network access to the service. The combination of high severity and external accessibility demands immediate remediation.

Generated by OpenCVE AI on June 30, 2026 at 20:21 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.0 https://pypi.org/project/langflow/

OpenCVE Recommended Actions

  • Upgrade IBM Langflow OSS to version 1.10.0 or later.
  • If an upgrade is not possible immediately, block or restrict access to the Streamable MCP transport endpoint so that only authenticated users can reach it, using firewall rules or reverse‑proxy controls.
  • Monitor service logs for attempts to access the MCP endpoint and for unauthorized project resource requests.

Generated by OpenCVE AI on June 30, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
Title Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-285
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.9.6:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T20:09:14.799Z

Reserved: 2026-05-01T19:43:15.220Z

Link: CVE-2026-7663

cve-icon Vulnrichment

Updated: 2026-06-30T20:09:10.763Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T20:30:04Z

Weaknesses