Improper Authentication Vulnerability in IBM Langflow OSS
CVE-2026-9103

9.8CRITICAL

Key Information:

Vendor

IBM

Vendor
CVE Published:
17 July 2026

What is CVE-2026-9103?

IBM Langflow OSS versions 1.0.0 through 1.10.0 are vulnerable to an improper authentication issue that could allow remote attackers to gain unauthorized access to the system. The vulnerability resides in the /api/v1/login/auto_login endpoint, which can issue long-lived superuser bearer tokens without proper authentication when the AUTO_LOGIN configuration is enabled by default. This allows unauthenticated network attackers to obtain full administrative privileges. Additionally, the permissive cross-origin resource sharing (CORS) settings may expose these tokens to unintended origins, further heightening the risk of unauthorized access.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.10.0

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Bugbunny (bugbunny-research) Bugbunny @bugbunny_ai bugbunny.ai https://x.com/bugbunny_ai
.