Impact
The vulnerability is an insecure direct object reference that allows an authenticated user to bypass authentication controls and read or modify sensitive information. This flaw exposes both the confidentiality and integrity of data stored in the application. The attack requires the attacker to be authenticated, but the IDOR permits escalated access to data normally protected by object-level permissions.
Affected Systems
IBM Langflow OSS is affected in versions 1.0.0 and 1.9.1. These vulnerable releases are listed in the CPE data. Version 1.9.2 or later incorporates the vendor’s fix.
Risk and Exploitability
The CVSS score of 7.5 denotes a high severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Exploitation would require an authenticated user to manipulate object identifiers to access sensitive information beyond their authorized scope. Given the severity and lack of widespread exploitation evidence, organizations should treat this as a significant risk pending mitigation.
OpenCVE Enrichment