CVE-2026-8505
Received Received - Intake

Unauthenticated Flow Execution in IBM Langflow OSS

Vulnerability report for CVE-2026-8505, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow_oss From 1.0.0 (inc) to 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated users to trigger flow execution due to incorrect webhook authentication logic. When WEBHOOK_AUTH_ENABLE is set to False (default), API key validation is bypassed. Attackers with knowledge of a flow's UUID can execute it as the owner, potentially leading to Remote Code Execution (RCE).

Detection Guidance

Check if Langflow is running with WEBHOOK_AUTH_ENABLE set to False by inspecting configuration files or environment variables. Verify if any flows have been executed by unauthorized users by reviewing logs for unexpected webhook triggers or flow executions.

Impact Analysis

An attacker could execute malicious flows, leading to RCE or Denial of Service (DoS). This could compromise system integrity, steal data, or disrupt services. The high CVSS score (9.8) indicates severe potential impact.

Compliance Impact

This vulnerability could lead to unauthorized data access or processing, violating GDPR (data protection) and HIPAA (health data security) requirements. Non-compliance risks include fines and legal penalties.

Mitigation Strategies

Immediately upgrade Langflow to version 1.10.1 or later to address the authentication bypass. Ensure WEBHOOK_AUTH_ENABLE is set to True in configurations to enforce API key validation. Review and restrict access to flow UUIDs to prevent unauthorized execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart