IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE).
Advisories
No advisories yet.
Fixes
Solution
IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1 https://pypi.org/project/langflow/
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://www.ibm.com/support/pages/node/7278921 |
|
History
Fri, 17 Jul 2026 19:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE). | |
| Title | Authentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution | |
| First Time appeared |
Ibm
Ibm langflow Oss |
|
| CPEs | cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:* |
|
| Vendors & Products |
Ibm
Ibm langflow Oss |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: ibm
Published:
Updated: 2026-07-17T19:06:00.986Z
Reserved: 2026-05-13T22:04:50.617Z
Link: CVE-2026-8505
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.