CVE-2026-9202
Undergoing Analysis Undergoing Analysis - In Progress

Unauthenticated Account Creation Leading to RCE in IBM Langflow OSS

Vulnerability report for CVE-2026-9202, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to create unlimited user accounts on any Langflow instance; when NEW_USER_IS_ACTIVE=true (documented deployment option), newly created accounts are immediately active and can authenticate to reach RCE endpoints, bypassing the need for AUTO_LOGIN.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow_oss From 1.0.0 (inc) to 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9202 is a critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0 that allows unauthenticated attackers to create unlimited user accounts via the user registration API. If the deployment option NEW_USER_IS_ACTIVE=true is enabled, newly created accounts are immediately active, granting attackers access to remote code execution endpoints with server privileges.

Detection Guidance

Check Langflow OSS versions 1.0.0 through 1.10.0 for unauthorized user accounts. Inspect logs for excessive user creation via the registration API. Verify if NEW_USER_IS_ACTIVE=true is enabled in deployment settings.

Impact Analysis

Attackers could exploit this to create unlimited accounts, gain unauthorized access to RCE endpoints, and execute arbitrary code on the server. Even without active accounts, the flaw may cause resource exhaustion or enable dormant-account scenarios for future attacks.

Compliance Impact

This vulnerability could lead to unauthorized access, data breaches, or system compromise, violating GDPR (data protection) and HIPAA (health data security) requirements for access controls and integrity. Non-compliance risks include legal penalties and reputational damage.

Mitigation Strategies

Upgrade Langflow OSS to version 1.10.1 or later immediately. Disable NEW_USER_IS_ACTIVE=true if enabled. Review and remove any unauthorized user accounts created during exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart