368638 matches found
CVE-2026-7667
The CVE-2026-7667 entry is supported by IBM's security bulletin for Langflow OSS, which describes a path traversal vulnerability in the API Request component’s response handling. An authenticated attacker can induce a victim using save_to_file=True to fetch a crafted Content-Disposition header fr...
CVE-2026-7754
CVE-2026-7754 affects Langflow OSS 1.0.0–1.10.0. SSRF protection could be disabled via default settings (ssrf_protection_enabled) allowing server-side requests to arbitrary URLs, including cloud metadata endpoints. The issue is fixed in Langflow OSS by upgrading to version 1.10.1; current default...
CVE-2026-9202
Langflow OSS is affected: unauthenticated attackers can create unlimited user accounts on vulnerable instances. If NEW_USER_IS_ACTIVE is enabled, new accounts become active immediately and can access RCE endpoints, potentially achieving remote code execution with server privileges. Affected versi...
CVE-2026-12946
CVE-2026-12946 is associated with IBM’s security bulletin describing a remote code execution vulnerability in the CUGA component CodeAgent used by Langflow OSS. An authenticated user could run arbitrary commands on the server when a flow using CodeAgent is created and executed, via the Python cod...
CVE-2026-9198
CVE-2026-9198: IBM security bulletin describes Langflow OSS 1.0.0–1.10.0 as vulnerable to unauthenticated remote code execution by chaining /api/v1/auto_login (mints superuser tokens) with /api/v1/validate/code (executes code). Root cause CWE-94: improper code generation/validation. Impact: full ...
CVE-2026-9103
Langflow OSS versions 1.0.0–1.10.0 are affected by CVE-2026-9103 due to an unauthenticated /api/v1/login/auto_login endpoint that issues long‑lived 365‑day superuser tokens when AUTO_LOGIN is enabled (default). This also combines with permissive CORS, risking token exposure. Upgrading to Langflow...
CVE-2026-52731
Technical details for CVE-2026-52731 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-8635
CVE-2026-8635 is linked to IBM’s Security Bulletin about a vulnerability in the Python Interpreter component of Langflow OSS. The issue allows authenticated users to execute arbitrary code and escalate to superuser level by manipulating the database and bypassing sandboxing/validation, potentiall...
CVE-2026-8859
CVE-2026-8859 relates to a path traversal vulnerability in Langflow OSS (versions 1.0.0–1.10.0) within the APIRequest component’s “Save to File” feature. Filenames parsed from server-controlled Content-Disposition headers were not sanitized before joining with a temporary directory path, allowing...
CVE-2026-8481
CVE-2026-8481 : A remote code execution vulnerability exists in Langflow OSS (versions 1.0.0–1.10.0) via the code validation API endpoint. The endpoint POST /api/v1/validate/code executes user-supplied Python code with exec() without sandboxing, input validation, or privilege restrictions, allowi...
CVE-2026-8476
The IBM bulletin confirms CVE-2026-8476 affects Langflow OSS (versions 1.0.0–1.10.0) via unsafe pickle deserialization in the AsyncDiskCache, enabling remote code execution with the server process privileges. Mitigation: upgrade Langflow OSS to 1.10.1; no workaround is listed.
CVE-2026-8505
CVE-2026-8505 is a vulnerability in Langflow OSS (versions 1.0.0–1.10.0) where webhook authentication can be bypassed. The issue arises when WEBHOOK_AUTH_ENABLE is set to False (default), allowing unauthenticated users who know a flow UUID to execute that flow, potentially causing Remote Code Exe...
CVE-2026-49255
Technical details for CVE-2026-49255 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49254
Technical details for CVE-2026-49254 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49253
Technical details for CVE-2026-49253 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49250
Technical details for CVE-2026-49250 are not publicly available in the provided documents. Monitor for updates and future disclosures.
CVE-2026-12944
CVE-2026-12944 is a vulnerability in Langflow OSS (versions 1.0.0–1.10.0) where attacker-supplied components containing socket or urllib imports can trigger server-side arbitrary Python code execution with root privileges on the Langflow server. The underlying issue arises from an incomplete secu...
CVE-2026-49852
Technical details for CVE-2026-49852 are not publicly available in the provided documents. This CVE entry remains reserved; monitor for updates as information is released.
CVE-2026-49245
Technical details for CVE-2026-49245 are not publicly available in the provided documents. Monitor for updates.
CVE-2026-49244
Technical details are not publicly available in the provided documents for CVE-2026-49244; this CVE entry is reserved placeholder. Monitor for updates.