Improper Authentication Vulnerability in IBM Langflow OSS
CVE-2026-9103
9.8CRITICAL
What is CVE-2026-9103?
IBM Langflow OSS versions 1.0.0 through 1.10.0 are vulnerable to an improper authentication issue that could allow remote attackers to gain unauthorized access to the system. The vulnerability resides in the /api/v1/login/auto_login endpoint, which can issue long-lived superuser bearer tokens without proper authentication when the AUTO_LOGIN configuration is enabled by default. This allows unauthenticated network attackers to obtain full administrative privileges. Additionally, the permissive cross-origin resource sharing (CORS) settings may expose these tokens to unintended origins, further heightening the risk of unauthorized access.
Affected Version(s)
Langflow OSS 1.0.0 <= 1.10.0
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Bugbunny (bugbunny-research) Bugbunny @bugbunny_ai bugbunny.ai https://x.com/bugbunny_ai