AI Threat Alert

CVE-2026-3340: IBM Langflow: SSRF enables internal network enumeration

MEDIUM
Published April 30, 2026
CISO Take

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain an SSRF flaw that coerces the application server into issuing unauthorized HTTP requests to internal network resources on behalf of an attacker. Despite a medium CVSS score of 6.5, EPSS data places this in the top 91st percentile for exploitation likelihood — a signal that real-world conditions favor exploitation faster than severity alone suggests, and the CVSS vector (PR:N, AC:L) contradicts the advisory's 'authenticated attacker' qualifier, warranting treatment as potentially pre-auth. Langflow's architectural position as an LLM workflow orchestrator — typically wired to internal model endpoints, vector databases, and cloud APIs — amplifies the blast radius well beyond a standard SSRF: cloud metadata endpoints (AWS/GCP/Azure IMDS), internal credential stores, and connected AI services are all reachable. Update to the remediated release per the IBM advisory and apply strict egress filtering on the Langflow host to block RFC1918, link-local, and loopback targets pending patching.

Sources: NVD EPSS ATLAS ibm.com

What is the risk?

Moderate-to-elevated risk for any organization running Langflow adjacent to cloud infrastructure or internal AI services. The CVSS attack complexity is low and the attack vector is network, meaning no special positioning is required. The discrepancy between the CVSS vector (PR:N — no privileges) and the advisory description ('authenticated attacker') is unresolved; organizations should conservatively assume the flaw may be reachable without authentication. EPSS top-91st percentile indicates elevated exploitation probability relative to the broader CVE corpus. Absence from CISA KEV and lack of a public exploit or Nuclei template reduce immediate urgency, with SSVC decision TRACK appropriate.

How does the attack unfold?

Initial Access
Attacker accesses IBM Langflow Desktop (v1.0.0–1.8.4) via an authenticated session or potentially without credentials given the CVSS PR:N vector discrepancy with the advisory description.
AML.T0012
Exploitation
Attacker crafts a malicious Langflow workflow containing an HTTP Request node targeting internal IPs, cloud metadata endpoints (169.254.169.254), or internal AI service URLs.
AML.T0049
Discovery
The Langflow server issues unauthorized outbound HTTP requests, returning responses that reveal internal host topology, cloud IAM credentials from IMDS, or connected AI service data.
AML.T0006
Impact
Attacker leverages harvested cloud credentials or enumerated internal endpoints to pivot into AI infrastructure — model APIs, vector databases, training data stores — escalating well beyond the Langflow instance itself.
AML.T0075

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I Low
A None

What should I do?

5 steps

  1. Patch: Apply the remediated IBM Langflow Desktop version per the advisory at https://www.ibm.com/support/pages/node/7271096 immediately.

  2. Egress filtering: Enforce strict outbound HTTP allowlisting on the Langflow host — deny requests to RFC1918 ranges (10.x, 172.16-31.x, 192.168.x), link-local (169.254.x.x), and loopback (127.x).

  3. Network segmentation: Isolate Langflow instances from sensitive internal AI services, model APIs, and cloud control planes using firewall rules or service mesh policy.

  4. Detection: Alert on outbound HTTP requests from the Langflow process to internal IP ranges, cloud metadata addresses, or unexpected external hosts.

  5. Authentication enforcement: Given the CVSS PR:N discrepancy, verify authentication is enforced on all exposed Langflow instances and disable anonymous access if present.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Framework Agent AML.T0006 AML.T0037 AML.T0049 AML.T0075

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2 - AI system security — network access controls
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the trustworthiness of AI systems over the operational lifecycle
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-3340?

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain an SSRF flaw that coerces the application server into issuing unauthorized HTTP requests to internal network resources on behalf of an attacker. Despite a medium CVSS score of 6.5, EPSS data places this in the top 91st percentile for exploitation likelihood — a signal that real-world conditions favor exploitation faster than severity alone suggests, and the CVSS vector (PR:N, AC:L) contradicts the advisory's 'authenticated attacker' qualifier, warranting treatment as potentially pre-auth. Langflow's architectural position as an LLM workflow orchestrator — typically wired to internal model endpoints, vector databases, and cloud APIs — amplifies the blast radius well beyond a standard SSRF: cloud metadata endpoints (AWS/GCP/Azure IMDS), internal credential stores, and connected AI services are all reachable. Update to the remediated release per the IBM advisory and apply strict egress filtering on the Langflow host to block RFC1918, link-local, and loopback targets pending patching.

Is CVE-2026-3340 actively exploited?

No confirmed active exploitation of CVE-2026-3340 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3340?

1. Patch: Apply the remediated IBM Langflow Desktop version per the advisory at https://www.ibm.com/support/pages/node/7271096 immediately. 2. Egress filtering: Enforce strict outbound HTTP allowlisting on the Langflow host — deny requests to RFC1918 ranges (10.x, 172.16-31.x, 192.168.x), link-local (169.254.x.x), and loopback (127.x). 3. Network segmentation: Isolate Langflow instances from sensitive internal AI services, model APIs, and cloud control planes using firewall rules or service mesh policy. 4. Detection: Alert on outbound HTTP requests from the Langflow process to internal IP ranges, cloud metadata addresses, or unexpected external hosts. 5. Authentication enforcement: Given the CVSS PR:N discrepancy, verify authentication is enforced on all exposed Langflow instances and disable anonymous access if present.

What systems are affected by CVE-2026-3340?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration platforms, agent frameworks, AI development environments, cloud-hosted AI pipelines.

What is the CVSS score for CVE-2026-3340?

CVE-2026-3340 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.17%.

What is the AI security impact?

Affected AI Architectures

LLM workflow orchestration platformsagent frameworksAI development environmentscloud-hosted AI pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Exploitation Scenario

An attacker — authenticated or potentially unauthenticated given the PR:N CVSS vector — accesses an internet-facing IBM Langflow Desktop instance and creates a flow containing an HTTP Request node targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS IMDS). Langflow's backend processes the flow and returns the cloud IAM temporary credentials to the attacker. With these credentials the attacker pivots directly into the cloud account hosting the AI stack: accessing S3 buckets containing training data, calling model inference APIs under the victim's identity, or enumerating the internal VPC to find vector databases and other AI services that lack public authentication.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

Timeline

Published
April 30, 2026
Last Modified
May 11, 2026
First Seen
April 30, 2026

Related Vulnerabilities

CRITICAL CVE-2026-10561 10.0

Langflow: auth bypass + unauthenticated RCE (CVSS 10)

Same package: langflow
CRITICAL CVE-2026-55255 9.9

Langflow: IDOR allows cross-user flow execution

Same package: langflow
CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
Back to Threat Feed