CVE Catalog

CVE-2026-7663

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.9.6 contain a vulnerability due to improper authorization enforcement in the Streamable MCP transport endpoint. This allows unauthenticated attackers to access protected MCP project resources and execute MCP operations.

Risk Assessment

The risk includes unauthorized access to sensitive data and operations within MCP projects, potentially leading to information disclosure or workflow manipulation without proper authorization.

Recommendation

It is recommended to immediately upgrade IBM Langflow OSS to version 1.9.7 or later, which includes a fix for this vulnerability. Also review authorization configuration for MCP endpoints.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS