CVE-2026-9202
IBM · Langflow OSS
IBM Langflow OSS versions 1.0.0 through 1.10.0 allow unauthenticated attackers to create new user accounts that may automatically gain access to remote code execution endpoints.
Executive summary
An authentication bypass in IBM Langflow OSS allows unauthenticated attackers to create active user accounts, facilitating remote code execution.
Vulnerability
This is a missing authentication for critical function vulnerability (CWE-306) that allows unauthorized account creation. If the instance is configured with NEW_USER_IS_ACTIVE set to true, these accounts gain immediate access to RCE endpoints.
Business impact
With a CVSS score of 9.8, this vulnerability poses an extreme risk to the availability and integrity of the system. An attacker can gain full administrative control by creating a rogue account, leading to total system compromise and potential lateral movement within the network.
Remediation
Immediate Action: Upgrade IBM Langflow OSS to version 1.10.1 immediately to patch the authentication logic.
Proactive Monitoring: Audit the user management database for any unauthorized or unknown accounts that were created during the period of exposure.
Compensating Controls: Set NEW_USER_IS_ACTIVE to false in the configuration file if an immediate upgrade is not feasible, and monitor for any suspicious sign-up requests.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The ability to create unauthorized accounts leading to remote code execution is a critical failure in the application security model. Administrators must prioritize the update to version 1.10.1 to prevent unauthorized access and protect the integrity of the Langflow environment.