CVE-2026-7663
Received Received - Intake

Unauthenticated Access to MCP Resources in IBM Langflow OSS

Vulnerability report for CVE-2026-7663, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.9.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7663 is an improper authorization vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.6. It exists in the Streamable MCP transport endpoint, which allows unauthenticated attackers to bypass project ownership controls and execute Model Context Protocol (MCP) operations on projects owned by other users.

This flaw enables attackers to enumerate private MCP tool metadata, read confidential project files and flow definitions, access user-level files uploaded by the superuser, and execute MCP tools anonymously with superuser privileges. The vulnerability represents a complete bypass of the application's authorization model for MCP operations in the affected transport path.

Exploitation requires network access to a Langflow instance with MCP Composer enabled and target projects using OAuth or non-apikey authentication mode, with no user interaction or authentication required.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to private and confidential project data, such as MCP tool metadata, project files, and flow definitions.

Attackers can also access user-level files uploaded by the superuser and execute MCP tools with superuser privileges anonymously, potentially leading to unauthorized operations and data exposure.

Because the vulnerability allows a complete bypass of authorization controls without requiring authentication, it poses a high risk of data breach and unauthorized manipulation of project resources.

Compliance Impact

The vulnerability allows unauthenticated attackers to access and execute operations on protected project resources, including reading confidential project files and user-level files with superuser privileges. This unauthorized access to sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Since the flaw enables bypassing authorization controls and exposing confidential data without authentication, affected organizations using IBM Langflow OSS versions 1.0.0 through 1.9.6 may face compliance risks related to unauthorized data disclosure and lack of proper access controls mandated by these standards.

Detection Guidance

This vulnerability involves unauthorized access to the Streamable MCP transport endpoint at /api/v1/mcp/project/{project_id}/streamable. Detection would involve monitoring or testing access to this specific endpoint without authentication.

Since exploitation requires network access to a Langflow instance with MCP Composer enabled and OAuth/non-apikey authentication mode, detection could include attempting to access the endpoint anonymously to see if project resources or MCP operations can be accessed or executed.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

IBM strongly recommends upgrading Langflow OSS to version 1.10.0 to remediate this vulnerability.

No workarounds or mitigations are available other than upgrading.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart