Vulnerability  ·  2026-07-19

IBM Langflow OSS RCE via MCP Server Configuration Validator Bypass in File Upload API

VulnerabilityHigh impactGlobalCVE-2026-7755
IBM disclosed a high-severity (CVSS 8.8) RCE in Langflow caused by incomplete validation enforcement on MCP server configuration files uploaded via the file API, bypassing the validator applied to the normal MCP config API path.
MCP server configs control what commands/tools an AI agent's runtime can spawn; this bypass lets an authenticated attacker plant a malicious MCP server definition that executes arbitrary commands with the Langflow process's privileges, undermining the core trust boundary between agent orchestration and tool execution.
The File Manager API's upload_user_file() function specially handles files named _mcp_servers_<user_id>.json but does not invoke the MCPServerConfig validator that the structured MCP API endpoint uses. An attacker uploads a crafted MCP config file with dangerous environment variables/command arguments; when servers are subsequently enumerated via get_server_list(), the config is parsed as JSON (no re-validation) and spawned via MCPStdioClient._connect_to_server(), executing attacker-controlled commands/environment.
IBM Langflow OSS 1.0.0 through 1.10.0
IBM patched the validation gap; see security bulletin at support pages node/7278932. Upgrade Langflow and audit any previously uploaded MCP configuration files.
NVD CVE-2026-7755IBM Security Bulletin: MCP Server Configuration Validator Bypass via File Upload API
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →