What happened
IBM Langflow OSS versions 1.0.0 through 1.8.4 allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint (CWE-287: Improper Authentication). The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. IBM published the bulletin on 2026-06-21; the CVE record was published on 2026-06-22.
Why it matters
Langflow is a widely deployed visual LLM/agentic workflow builder. An unauthenticated attacker with network access can invoke MCP tools — including code-execution and data-retrieval tools — without any credentials, enabling full compromise of any AI workflow running on the server. IBM notes no workaround exists; immediate upgrade is required.
Attack vector
Remote unauthenticated HTTP request to the Streamable MCP transport endpoint; no credentials or user interaction required.
Affected systems
Langflow OSS 1.0.0 – 1.8.4
Mitigation
Upgrade to Langflow OSS 1.9.1. No workaround available. IBM advisory: https://www.ibm.com/support/pages/node/7277243