CVE Catalog

CVE-2026-7664

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.28%

19th percentile — higher than 19% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a vulnerability due to improper authorization enforcement in the Streamable MCP transport endpoint. This allows unauthenticated attackers to access protected MCP project resources and execute MCP operations.

Risk Assessment

The risk for the organization includes unauthorized access to sensitive MCP project data and the ability to perform unwanted operations, potentially leading to confidentiality and integrity breaches.

Recommendation

It is recommended to immediately upgrade IBM Langflow OSS to version 1.8.5 or later, which includes a fix for this vulnerability. Until the update is applied, restrict access to the Streamable MCP endpoint to trusted networks only.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS