Server-Side Request Forgery Vulnerability in IBM Langflow OSS
CVE-2026-10546

7.1HIGH

Key Information:

Vendor: IBM
Status: Langflow Oss
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-10546?

IBM Langflow OSS versions 1.0.0 to 1.9.3 are impacted by a Server-Side Request Forgery (SSRF) vulnerability, stemming from a Time-of-Check/Time-of-Use (TOCTOU) race condition in the URL component. This flaw can be exploited through DNS rebinding, allowing unauthorized access to internal services or sensitive data. Users are urged to apply available patches and updates to mitigate this issue effectively.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.9.3

References

https://www.ibm.com/support/pages/node/7277560

vendor-advisorypatch

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 1, 2026

CVE-2026-10546 Data

JSON