CVE-2026-9202

IBM · Langflow OSS

IBM Langflow OSS versions 1.0.0 through 1.10.0 allow unauthenticated attackers to create new user accounts that may automatically gain access to remote code execution endpoints.

Executive summary

An authentication bypass in IBM Langflow OSS allows unauthenticated attackers to create active user accounts, facilitating remote code execution.

Vulnerability

This is a missing authentication for critical function vulnerability (CWE-306) that allows unauthorized account creation. If the instance is configured with NEW_USER_IS_ACTIVE set to true, these accounts gain immediate access to RCE endpoints.

Business impact

With a CVSS score of 9.8, this vulnerability poses an extreme risk to the availability and integrity of the system. An attacker can gain full administrative control by creating a rogue account, leading to total system compromise and potential lateral movement within the network.

Remediation

Immediate Action: Upgrade IBM Langflow OSS to version 1.10.1 immediately to patch the authentication logic.

Proactive Monitoring: Audit the user management database for any unauthorized or unknown accounts that were created during the period of exposure.

Compensating Controls: Set NEW_USER_IS_ACTIVE to false in the configuration file if an immediate upgrade is not feasible, and monitor for any suspicious sign-up requests.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The ability to create unauthorized accounts leading to remote code execution is a critical failure in the application security model. Administrators must prioritize the update to version 1.10.1 to prevent unauthorized access and protect the integrity of the Langflow environment.