CVE-2026-4503: Langflow IDOR leaks user images

CISO Take

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain an Insecure Direct Object Reference (CWE-639) that allows any unauthenticated network attacker to retrieve images belonging to other users simply by manipulating a user-controlled key in the request — no credentials required. This is particularly relevant for organizations using Langflow to build LLM workflows, as images may include pipeline diagrams, uploaded documents used as context, or visual outputs generated by AI agents, potentially exposing proprietary AI architecture or sensitive business data. While this CVE is not yet in CISA KEV and has no public exploit, its EPSS places it in the top 84th percentile for exploitation likelihood, and the zero-privilege, zero-interaction attack path (AV:N/AC:L/PR:N/UI:N) means any internet-facing Langflow instance is trivially at risk. Upgrade to a patched version when released, or immediately restrict Langflow Desktop to authenticated network segments; reference IBM advisory at ibm.com/support/pages/node/7271099.

Sources: NVD EPSS ATLAS ibm.com

What is the risk?

CVSS 7.5 High with the most permissive attack vector profile possible (network, low complexity, no privileges, no user interaction) makes this highly automatable. The confidentiality impact is high while integrity and availability are unaffected, consistent with a pure data-disclosure IDOR. EPSS at 0.00053 but top 84th percentile indicates the exploit pattern is straightforward relative to the CVE population. SSVC TRACK suggests no immediate emergency patching but active monitoring is warranted. The primary risk amplifier is deployment exposure: Langflow instances accessible from untrusted networks are fully exploitable with a simple HTTP request.

How does the attack unfold?

Target Identification

Attacker discovers an internet-exposed Langflow Desktop instance via network scanning or search engine indexing of the application's default UI.

AML.T0006

IDOR Exploitation

Unauthenticated attacker crafts HTTP requests to the image endpoint with enumerated or guessed user-controlled keys, bypassing all authorization checks.

AML.T0049

Systematic Enumeration

Attacker iterates through image keys to enumerate all accessible user images across the Langflow instance, building a complete inventory of exposed assets.

Data Exfiltration

Attacker downloads retrieved images containing AI workflow diagrams, proprietary prompts, and business data uploaded by other users, completing the breach.

AML.T0025

Target Identification

Attacker discovers an internet-exposed Langflow Desktop instance via network scanning or search engine indexing of the application's default UI.

AML.T0006

IDOR Exploitation

Unauthenticated attacker crafts HTTP requests to the image endpoint with enumerated or guessed user-controlled keys, bypassing all authorization checks.

AML.T0049

Systematic Enumeration

Attacker iterates through image keys to enumerate all accessible user images across the Langflow instance, building a complete inventory of exposed assets.

Data Exfiltration

Attacker downloads retrieved images containing AI workflow diagrams, proprietary prompts, and business data uploaded by other users, completing the breach.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 26% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: Upgrade IBM Langflow Desktop beyond 1.8.4 as soon as IBM releases a fixed version; monitor IBM security advisory at ibm.com/support/pages/node/7271099 for patch availability.
Network isolation: Place Langflow Desktop behind a VPN or firewall, restricting access to authenticated and authorized users only — never expose it directly to the internet.
Detection: Review access logs for anomalous sequential or enumerated image ID requests from unauthenticated sources; flag requests to image endpoints that lack a valid session token.
Audit: Identify which users and images may have been exposed if the instance was internet-facing; treat potentially viewed images as disclosed and notify affected users if data sensitivity warrants it.
Compensating control: If patching is not immediately possible, implement authentication middleware (reverse proxy with auth) in front of the Langflow Desktop instance.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Privacy Violation Data Extraction Auth Bypass Framework Agent AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Access control for AI systems

NIST AI RMF

MANAGE 4.1 - Post-deployment incident response and recovery

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-4503?

IBM Langflow Desktop versions 1.0.0 through 1.8.4 contain an Insecure Direct Object Reference (CWE-639) that allows any unauthenticated network attacker to retrieve images belonging to other users simply by manipulating a user-controlled key in the request — no credentials required. This is particularly relevant for organizations using Langflow to build LLM workflows, as images may include pipeline diagrams, uploaded documents used as context, or visual outputs generated by AI agents, potentially exposing proprietary AI architecture or sensitive business data. While this CVE is not yet in CISA KEV and has no public exploit, its EPSS places it in the top 84th percentile for exploitation likelihood, and the zero-privilege, zero-interaction attack path (AV:N/AC:L/PR:N/UI:N) means any internet-facing Langflow instance is trivially at risk. Upgrade to a patched version when released, or immediately restrict Langflow Desktop to authenticated network segments; reference IBM advisory at ibm.com/support/pages/node/7271099.

Is CVE-2026-4503 actively exploited?

No confirmed active exploitation of CVE-2026-4503 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4503?

1. Patch: Upgrade IBM Langflow Desktop beyond 1.8.4 as soon as IBM releases a fixed version; monitor IBM security advisory at ibm.com/support/pages/node/7271099 for patch availability. 2. Network isolation: Place Langflow Desktop behind a VPN or firewall, restricting access to authenticated and authorized users only — never expose it directly to the internet. 3. Detection: Review access logs for anomalous sequential or enumerated image ID requests from unauthenticated sources; flag requests to image endpoints that lack a valid session token. 4. Audit: Identify which users and images may have been exposed if the instance was internet-facing; treat potentially viewed images as disclosed and notify affected users if data sensitivity warrants it. 5. Compensating control: If patching is not immediately possible, implement authentication middleware (reverse proxy with auth) in front of the Langflow Desktop instance.

What systems are affected by CVE-2026-4503?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow orchestration platforms, Agent frameworks, Multi-tenant AI development environments, Visual AI pipeline builders.

What is the CVSS score for CVE-2026-4503?

CVE-2026-4503 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.34%.

What is the AI security impact?

Affected AI Architectures

LLM workflow orchestration platformsAgent frameworksMulti-tenant AI development environmentsVisual AI pipeline builders

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 4.1

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.

Exploitation Scenario

An adversary conducting competitive intelligence against an organization's AI development team discovers a Langflow Desktop instance exposed on a non-standard port via Shodan or certificate transparency scanning. Without any credentials, the attacker sends requests to the image serving endpoint with incrementally enumerated or predictable user-controlled keys (e.g., numeric IDs or UUIDs). For each valid key, the server returns the corresponding user's image. The attacker systematically harvests all accessible images, recovering workflow diagrams that reveal the organization's LLM pipeline architecture, proprietary prompt templates visible in canvas screenshots, and sensitive documents uploaded as multimodal context for AI agents — all without triggering authentication alerts.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary CWE-639 Authorization Bypass Through User-Controlled Key

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.