CVE-2026-10564
Received Received - Intake

IBM Langflow SSRF in RSSReaderComponent and SearXNG

Vulnerability report for CVE-2026-10564, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.9.6 contains a Server-Side Request Forgery (SSRF). The legacy RSSReaderComponent in rss.py and SearXNG component in searxng.py make unvalidated HTTP requests to user-controlled URLs, bypassing SSRF protections introduced in version 1.9.3. An authenticated attacker can exploit this to access internal resources including cloud metadata services (AWS/Azure/GCP IMDS), potentially exfiltrating IAM credentials and enumerating internal networks. The vulnerability can also be triggered through prompt injection in agentic workflows due to tool_mode=True exposure.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.9.6 (inc)
ibm langflow From 1.0.0 (inc) to 1.9.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10564 is a Server-Side Request Forgery (SSRF) vulnerability found in IBM Langflow OSS versions 1.0.0 through 1.9.6. It exists in legacy components, specifically the RSSReaderComponent and SearXNG component, which make unvalidated HTTP requests to user-controlled URLs. This bypasses SSRF protections introduced in version 1.9.3.

The vulnerability arises because the RSSReaderComponent calls requests.get() on user input without validating the URL, allowing attackers to exploit this to access internal resources. Additionally, the vulnerability can be triggered through prompt injection in agentic workflows due to the tool_mode=True setting, creating an attack chain from prompt injection to SSRF.

An authenticated attacker can exploit this vulnerability with a single API call to exfiltrate cloud metadata service credentials (such as AWS, Azure, or GCP IAM tokens), enumerate internal networks, and bypass security guarantees introduced in later versions.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to internal resources and cloud metadata services, which may lead to exfiltration of sensitive IAM credentials.

Attackers can use these credentials to pivot within cloud accounts, potentially gaining broader access to cloud infrastructure and data.

It also allows attackers to enumerate internal networks, which can facilitate further attacks or reconnaissance.

The vulnerability requires only standard user authentication and no victim interaction, making it easier for attackers to exploit.

Mitigation Strategies

IBM strongly recommends upgrading Langflow OSS to version 1.10.0 to address this vulnerability.

The vulnerability exists in versions 1.0.0 through 1.9.6 due to legacy components bypassing SSRF protections.

Since the vulnerability requires only standard user authentication and exists in the default configuration, upgrading is the most effective mitigation.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized HTTP requests originating from the Langflow OSS application, especially those targeting internal cloud metadata services (AWS, Azure, GCP IMDS) or internal network resources.

Since the vulnerability involves the RSSReaderComponent making unvalidated HTTP requests to user-controlled URLs, detection can include inspecting logs for requests to unexpected or internal URLs triggered by the rss_url parameter.

Suggested commands to help detect exploitation attempts include:

  • Using network monitoring tools like tcpdump or Wireshark to capture outgoing HTTP requests from the Langflow OSS server.
  • Example tcpdump command to capture HTTP traffic: sudo tcpdump -i <interface> -A 'tcp port 80 or tcp port 443'
  • Checking application logs or API call logs for requests invoking the RSSReaderComponent or searxng.py with suspicious URLs.
  • Using curl or similar tools to test the API endpoints for SSRF vulnerability by sending crafted requests with URLs pointing to internal metadata services.
Compliance Impact

The vulnerability allows an authenticated attacker to exfiltrate cloud metadata service credentials and enumerate internal networks, potentially leading to unauthorized access to sensitive data.

Such unauthorized access and potential data exfiltration could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart