CVE-2026-10560
Received Received - Intake

Unauthenticated Access in IBM Langflow OSS

Vulnerability report for CVE-2026-10560, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.9.6 contains a missing authentication vulnerability in /api/v1/build_public_tmp/ endpoints that allows an unauthenticated attacker to read build event data or cancel jobs using a valid job identifier, resulting in information disclosure and denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.9.6 (inc)
ibm langflow From 1.0.0 (inc) to 1.9.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10560 is a security vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.6 that involves missing authentication on certain API endpoints.

Specifically, the endpoints /api/v1/build_public_tmp/{job_id}/events and /api/v1/build_public_tmp/{job_id}/cancel do not require authentication or authorization, allowing an unauthenticated attacker to access sensitive build event data or cancel jobs by knowing a valid job identifier.

The GET endpoint streams live build events, potentially exposing sensitive information such as customer prompts, large language model (LLM) responses, API keys, internal documents, and filesystem paths.

The POST endpoint allows attackers to cancel in-progress flow builds, which can cause denial-of-service conditions.

Impact Analysis

This vulnerability can have significant impacts including information disclosure and denial of service.

  • Information Disclosure: Attackers can read sensitive build event data such as customer prompts, LLM responses, API keys, internal documents, and filesystem paths without authentication.
  • Denial of Service: Attackers can cancel active jobs by sending cancellation requests with valid job identifiers, disrupting normal operations.

Because the vulnerability requires no authentication and has a high CVSS score of 8.2, it poses a serious security risk.

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoints without authentication to see if sensitive data or job cancellation is possible.

  • Use a command like: curl -v GET http://<langflow-server>/api/v1/build_public_tmp/<job_id>/events to check if build event data is accessible without authentication.
  • Use a command like: curl -v -X POST http://<langflow-server>/api/v1/build_public_tmp/<job_id>/cancel to test if job cancellation is possible without authentication.

If these commands succeed without authentication, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade IBM Langflow OSS to version 1.10.0 or later, where the issue is fixed.

No workarounds are available, so upgrading is the only recommended mitigation.

Compliance Impact

The vulnerability allows unauthenticated attackers to access sensitive data such as customer prompts, LLM responses, API keys, internal documents, and filesystem paths. This exposure of sensitive information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

Additionally, the ability to cancel in-flight flow builds without authorization could disrupt service availability, potentially impacting compliance with standards that mandate system integrity and availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10560. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart