CVE-2026-8505
IBM · Langflow OSS
A critical authentication bypass vulnerability in IBM Langflow OSS allows unauthenticated remote attackers to execute arbitrary flows, potentially leading to remote code execution.
Executive summary
IBM Langflow OSS contains an authentication bypass vulnerability in its webhook logic that allows unauthenticated remote attackers to execute flows and achieve code execution.
Vulnerability
This is an authentication bypass vulnerability where the system fails to validate API keys when the configuration setting WEBHOOK_AUTH_ENABLE is set to False. This allows an unauthenticated attacker to trigger flow execution by providing a known flow UUID.
Business impact
The ability for an unauthenticated attacker to trigger arbitrary flows creates a severe risk of Remote Code Execution (RCE). Given the CVSS score of 9.8, this vulnerability allows for complete system compromise, unauthorized data access, and potential lateral movement within the network, posing a critical threat to business continuity and data integrity.
Remediation
Immediate Action: Upgrade IBM Langflow OSS to version 1.10.1 immediately as recommended by the vendor.
Proactive Monitoring: Review system and application access logs for unexpected flow execution events or traffic originating from unauthorized IP addresses.
Compensating Controls: If an immediate update is not possible, verify the WEBHOOK_AUTH_ENABLE setting is configured to True and restrict network access to the Langflow interface via a firewall.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents a critical security risk due to the potential for full system compromise. Security teams should prioritize the upgrade to version 1.10.1 across all production and development environments to eliminate the authentication bypass vector.