IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access.
Advisories
No advisories yet.
Fixes
Solution
IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1 https://pypi.org/project/langflow/
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://www.ibm.com/support/pages/node/7278926 |
|
History
Fri, 17 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access. | |
| Title | Unauthenticated Superuser Token Issuance via Auto-Login Endpoint | |
| First Time appeared |
Ibm
Ibm langflow Oss |
|
| Weaknesses | CWE-306 | |
| CPEs | cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:* |
|
| Vendors & Products |
Ibm
Ibm langflow Oss |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: ibm
Published:
Updated: 2026-07-17T18:49:43.340Z
Reserved: 2026-05-20T16:49:30.512Z
Link: CVE-2026-9103
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses