CVE-2026-3341: Langflow SSRF exposes internal ML

CISO Take

IBM Langflow Desktop versions 1.0.0 through 1.9.2 contain a server-side request forgery flaw (CWE-918) that lets an authenticated attacker direct the Langflow server to make arbitrary HTTP requests on its behalf. Langflow orchestrates LLM agent workflows and typically runs with broad internal network access — adjacent to vector databases, model inference endpoints, MLflow servers, and cloud workload metadata services — making SSRF here materially more dangerous than in a typical web application. There is no public exploit and the vulnerability is absent from CISA KEV, but the low attack complexity (AC:L) combined with Langflow's privileged network position means a compromised or insider account can pivot rapidly to internal ML infrastructure or cloud credentials via instance metadata services. Upgrade beyond version 1.9.2 per the IBM advisory, enforce IMDSv2 on all cloud hosts running Langflow, apply strict egress policies blocking link-local and RFC-1918 ranges, and audit Langflow service account permissions.

Sources: NVD ATLAS ibm.com

What is the risk?

CVSS 5.4 (Medium) understates environmental risk for organizations running Langflow adjacent to sensitive internal AI infrastructure. Authentication is required (PR:L), which limits opportunistic exploitation, but insider threat and credential compromise scenarios close that gap quickly. Langflow's design as an agent orchestration platform grants it HTTP connectivity to diverse internal services by design. Without network segmentation, SSRF can expose cloud metadata credentials via IMDSv1, internal API keys stored in adjacent services, and unprotected model inference APIs. No active exploitation or public PoC exists at publication time, but SSRF tooling is commodity and the technique is universally understood — the only friction is obtaining valid credentials.

How does the attack unfold?

Initial Access

Attacker obtains low-privilege Langflow credentials via credential stuffing, phishing, or a compromised developer workstation to meet the PR:L authentication requirement.

AML.T0012

SSRF Exploitation

Attacker crafts a malicious HTTP request node or API call within Langflow that forces the authenticated server to issue arbitrary outbound HTTP requests to attacker-specified internal targets.

AML.T0049

Internal Reconnaissance

SSRF is used to probe internal RFC-1918 address space and cloud metadata endpoints (169.254.169.254) to map internal ML infrastructure topology and retrieve attached IAM role credentials.

AML.T0006

AI Infrastructure Compromise

Harvested cloud credentials or internal API tokens are leveraged to access model artifacts, training datasets, vector database contents, or proprietary fine-tuning data stored in adjacent ML infrastructure.

AML.T0085

Initial Access

Attacker obtains low-privilege Langflow credentials via credential stuffing, phishing, or a compromised developer workstation to meet the PR:L authentication requirement.

AML.T0012

SSRF Exploitation

Attacker crafts a malicious HTTP request node or API call within Langflow that forces the authenticated server to issue arbitrary outbound HTTP requests to attacker-specified internal targets.

AML.T0049

Internal Reconnaissance

SSRF is used to probe internal RFC-1918 address space and cloud metadata endpoints (169.254.169.254) to map internal ML infrastructure topology and retrieve attached IAM role credentials.

AML.T0006

AI Infrastructure Compromise

Harvested cloud credentials or internal API tokens are leveraged to access model artifacts, training datasets, vector database contents, or proprietary fine-tuning data stored in adjacent ML infrastructure.

AML.T0085

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.3K Pushed 4d ago 33% patched ~68d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

5.4 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade IBM Langflow Desktop beyond version 1.9.2 as soon as a fixed release is confirmed via https://www.ibm.com/support/pages/node/7275444.
Egress policy: Apply strict outbound firewall rules on hosts running Langflow, blocking access to link-local ranges (169.254.0.0/16) and RFC-1918 subnets unless explicitly required for legitimate workflow targets.
Cloud hardening: Enforce IMDSv2 (session-token-required) on all EC2/Azure/GCP instances running Langflow to neutralize metadata-service SSRF impact entirely.
Least privilege: Scope Langflow service accounts and any API keys accessible from the Langflow host to the minimum required permissions; rotate credentials potentially reachable from the Langflow network segment.
Detection: Monitor Langflow server outbound HTTP logs for requests targeting 169.254.169.254, internal RFC-1918 ranges, or unexpected external hosts; correlate anomalies with authenticated user sessions.

How is it classified?

Data Extraction Auth Bypass Framework Agent AML.T0006 - Active Scanning AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

Clause 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

GOVERN-1.7 - Processes and practices are in place to monitor AI system behavior

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-3341?

IBM Langflow Desktop versions 1.0.0 through 1.9.2 contain a server-side request forgery flaw (CWE-918) that lets an authenticated attacker direct the Langflow server to make arbitrary HTTP requests on its behalf. Langflow orchestrates LLM agent workflows and typically runs with broad internal network access — adjacent to vector databases, model inference endpoints, MLflow servers, and cloud workload metadata services — making SSRF here materially more dangerous than in a typical web application. There is no public exploit and the vulnerability is absent from CISA KEV, but the low attack complexity (AC:L) combined with Langflow's privileged network position means a compromised or insider account can pivot rapidly to internal ML infrastructure or cloud credentials via instance metadata services. Upgrade beyond version 1.9.2 per the IBM advisory, enforce IMDSv2 on all cloud hosts running Langflow, apply strict egress policies blocking link-local and RFC-1918 ranges, and audit Langflow service account permissions.

Is CVE-2026-3341 actively exploited?

No confirmed active exploitation of CVE-2026-3341 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3341?

1. Patch: Upgrade IBM Langflow Desktop beyond version 1.9.2 as soon as a fixed release is confirmed via https://www.ibm.com/support/pages/node/7275444. 2. Egress policy: Apply strict outbound firewall rules on hosts running Langflow, blocking access to link-local ranges (169.254.0.0/16) and RFC-1918 subnets unless explicitly required for legitimate workflow targets. 3. Cloud hardening: Enforce IMDSv2 (session-token-required) on all EC2/Azure/GCP instances running Langflow to neutralize metadata-service SSRF impact entirely. 4. Least privilege: Scope Langflow service accounts and any API keys accessible from the Langflow host to the minimum required permissions; rotate credentials potentially reachable from the Langflow network segment. 5. Detection: Monitor Langflow server outbound HTTP logs for requests targeting 169.254.169.254, internal RFC-1918 ranges, or unexpected external hosts; correlate anomalies with authenticated user sessions.

What systems are affected by CVE-2026-3341?

This vulnerability affects the following AI/ML architecture patterns: LLM agent frameworks, RAG pipelines, Model serving infrastructure, Cloud-hosted ML platforms, Internal AI API gateways.

What is the CVSS score for CVE-2026-3341?

CVE-2026-3341 has a CVSS v3.1 base score of 5.4 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

LLM agent frameworksRAG pipelinesModel serving infrastructureCloud-hosted ML platformsInternal AI API gateways

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0075 Cloud Service Discovery

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: Clause 9.1

NIST AI RMF: GOVERN-1.7

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Exploitation Scenario

An attacker with a valid low-privilege Langflow account — obtained via credential stuffing against a developer's reused password or a phished session token — logs into Langflow Desktop and creates a new flow containing a custom HTTP request node configured to target http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Langflow server, running on an EC2 instance with an attached IAM role, fulfills the forged request and returns temporary AWS credentials in the node output visible to the attacker. With those credentials the attacker accesses S3 buckets containing training data, proprietary model weights, or fine-tuning datasets — escalating a medium-severity authenticated SSRF into a full AI intellectual property theft scenario with no further exploitation complexity required.