CVE-2026-13445
IBM · Langflow OSS
IBM Langflow OSS versions 1.0.0 through 1.10.1 are affected by an authorization bypass vulnerability allowing authenticated users to access resources via user-controlled keys.
Executive summary
An authorization bypass vulnerability in IBM Langflow OSS enables authenticated users to gain unauthorized access to data or functions, threatening system confidentiality and integrity.
Vulnerability
This vulnerability (CWE-639) involves an authorization bypass through a user-controlled key. It allows an authenticated user to perform actions or access data outside of their intended privilege scope.
Business impact
The CVSS score of 8.1 indicates a high severity risk. Successful exploitation could allow attackers to access sensitive information or modify data they are not authorized to interact with, leading to significant internal data exposure and potential administrative compromise.
Remediation
Immediate Action: Upgrade IBM Langflow OSS to version 1.10.2 or later to address the authorization logic flaw.
Proactive Monitoring: Review access logs for abnormal patterns of resource requests or attempts to access IDs not associated with the active user session.
Compensating Controls: Enforce strict role-based access control (RBAC) at the network or proxy level to restrict access to sensitive Langflow endpoints.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability highlights a critical failure in authorization controls. Organizations utilizing IBM Langflow OSS should prioritize the transition to version 1.10.2 to ensure proper access restrictions are enforced and to mitigate the risk of unauthorized data access.