Langflow Desktop Security Vulnerabilities and Issues — Langflow Desktop CVE List

LangflowLangflow Desktop

7 matches found

CVE•added 2026/06/11 2:47 p.m.•28 views

CVE-2026-3341

CVE-2026-3341 affects IBM Langflow Desktop 1.0.0–1.9.2. The root cause is a TOCTOU DNS rebinding flaw in SSRF protection: validate_url_for_ssrf() uses socket.getaddrinfo(), while httpx.AsyncClient() conducts a separate DNS lookup during connection, allowing an attacker-controlled DNS domain with ...

5.4CVSS5.5AI score0.00138EPSS

CVE•added 2026/04/30 9:4 p.m.•15 views

CVE-2026-3340

CVE-2026-3340 is a Server-Side Request Forgery (SSRF) in the IBM Langflow Desktop URL data source component affecting versions 1.0.0–1.8.4 . An authenticated attacker can cause the Langflow server to make arbitrary requests to internal or restricted network resources, potentially enabling network...

6.5CVSS5.2AI score0.00167EPSS

CVE•added 2026/04/30 9:11 p.m.•15 views

CVE-2026-6543

CVE-2026-6543 affects IBM Langflow (OSS 1.0.0–1.8.4 and Desktop 1.0.0–1.8.4). The root cause is unsafe use of Python’s exec() in the code validation endpoint (validate_code) which fails to account for decorators, enabling an authenticated attacker to trigger arbitrary code execution with the Lang...

8.8CVSS5.7AI score0.0047EPSS

CVE•added 2026/04/30 9:6 p.m.•13 views

CVE-2026-3346

Summary: CVE-2026-3346 affects IBM Langflow Desktop 1.6.0–1.8.4. Affected component is the Markdown rendering pipeline via rehypeRaw, where unsafe handling allows an authenticated user to inject arbitrary JavaScript through a stored XSS vector, potentially leading to credentials disclosure within...

6.4CVSS4.9AI score0.00157EPSS

CVE•added 2026/04/30 8:57 p.m.•12 views

CVE-2026-4502

CVE-2026-4502 affects Langflow OSS Desktop and Langflow v2 API: authenticated attackers can exploit path traversal via /../ in multipart uploads to write arbitrary files and potentially achieve remote code execution. In IBM bulletins, Langflow OSS versions 1.2.0–1.8.4 are vulnerable through the f...

6.5CVSS5.5AI score0.00275EPSS

CVE•added 2026/04/30 8:48 p.m.•11 views

CVE-2026-4503

The IBM advisories for CVE-2026-4503 describe an unauthenticated IDOR in Langflow’s image download endpoint. Affected: Langflow OSS/Desktop 1.0.0–1.8.4. Vulnerable component: image retrieval endpoint (GET /api/v1/files/images/{flow_id}/{file_name}) that fails to enforce authentication/ownership, ...

7.5CVSS5.2AI score0.0034EPSS

CVE•added 2026/04/30 9:11 p.m.•8 views

CVE-2026-3345

IBM Langflow Desktop API v2 File Upload Endpoint (POST /api/v2/files) is vulnerable to a path traversal due to improper validation/sanitation of user-supplied filenames passed to LocalStorageService, allowing authenticated attackers to write files outside the intended upload directory and potenti...

6.5CVSS5.6AI score0.00374EPSS