Description
IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
Published: 2026-06-22
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IBM Langflow OSS 1.0.0 through 1.8.4 contains a flaw in the Streamable MCP transport endpoint that fails to enforce proper authentication. An attacker can send requests to the webhook endpoint without valid credentials, resulting in unauthorized execution of MCP project flows and access to protected data. The vulnerability enables remote actors to perform privileged operations, potentially compromising confidentiality, integrity, and availability of the affected models and data.

Affected Systems

All installations of IBM Langflow OSS from version 1.0.0 up to and including 1.8.4 are affected. These versions provide the Streamable MCP transport endpoint used for executing workflow flows via a public webhook interface.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. No EPSS score is publicly available, but the lack of authentication requirements implies a high likelihood of exploitation in a suitable environment. The flaw is not listed in CISA's Known Exploited Vulnerabilities catalog, yet the potential impact warrants urgent attention. An attacker can trigger exploitation simply by sending crafted requests to the exposed webhook endpoint from any network location, without prior compromise of the target system.

Generated by OpenCVE AI on June 22, 2026 at 16:30 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.9.1 https://pypi.org/project/langflow/

OpenCVE Recommended Actions

  • Upgrade IBM Langflow OSS to version 1.9.1 or later via the PyPI repository
  • If an upgrade cannot be performed immediately, block or restrict external traffic to the webhook endpoint, allowing only trusted IP ranges or authenticated sources to access it
  • Implement application-level flow execution monitoring or intrusion detection alerts for unexpected or unauthenticated calls to the webhook interface

Generated by OpenCVE AI on June 22, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
Title Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-287
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.8.4:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-23T03:55:58.300Z

Reserved: 2026-05-01T19:46:59.287Z

Link: CVE-2026-7664

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:45:16Z

Weaknesses