Server-Side Request Forgery Vulnerability in IBM Langflow OSS
CVE-2026-10129

8.5HIGH

Key Information:

Vendor: IBM
Status: Langflow Oss
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-10129?

IBM Langflow OSS versions 1.0.0 to 1.9.3 are susceptible to a Server-Side Request Forgery (SSRF) bypass in the API Request component. An authenticated user with flow author role privileges has the capability to exploit this vulnerability by manipulating the follow_redirects parameter to redirect public URLs to internal resources. This flaw arises from inadequate validation of redirect destinations, allowing attackers to reach sensitive internal services, access cloud metadata services, and reveal private network information typically protected by SSRF mechanisms. Exploiting this vulnerability can lead to the unauthorized disclosure of critical data, including authentication tokens and internal API responses, posing significant security risks.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.9.3

References

https://www.ibm.com/support/pages/node/7277561

vendor-advisorypatch

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-10129 Data

JSON