CVE-2026-6542: Langflow IDOR exposes cross-tenant

CISO Take

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a broken object-level authorization flaw (CWE-639) that lets any authenticated user read transaction logs and vertex build data—or delete that data—belonging to another user by simply supplying a different flow_id parameter. In multi-tenant Langflow deployments common across enterprise AI development platforms, this exposes proprietary AI pipeline designs, prompt chains, tool configurations, and LLM execution traces across tenant boundaries, representing meaningful IP theft and sabotage risk. With an EPSS percentile ranking in the top 92% of all CVEs and trivial exploitation requiring only a valid low-privilege account, the bar to abuse is effectively zero for any insider or post-compromise attacker. No public exploit exists and CISA classifies this as TRACK; organizations should apply the IBM patch per advisory 7270886 immediately and audit API access logs for anomalous flow_id enumeration patterns.

Sources: NVD EPSS ATLAS IBM Advisory (ibm.com/support/pages/node/7270886)

What is the risk?

Medium-High in multi-tenant environments. The CVSS 6.5 baseline undersells real-world risk in shared deployments—BOLA/IDOR vulnerabilities are routinely weaponized by insider threats and post-compromise lateral movers. Exploitation requires only a valid low-privilege account and the ability to enumerate or guess target flow_ids, with no authentication bypass or elevated privileges needed. EPSS top-92nd-percentile indicates elevated exploitation likelihood relative to the broader CVE population. Single-tenant or network-isolated deployments face substantially lower risk.

How does the attack unfold?

Initial Access

Adversary authenticates to the Langflow instance with any valid low-privilege user account obtained via credential stuffing, phishing, or insider access.

AML.T0012

Flow ID Enumeration

Adversary observes their own flow_id format in API requests and iterates through UUID space or sequential identifiers to discover flow_ids belonging to other users.

AML.T0006

Data Exfiltration

Adversary reads transaction logs and vertex build data of target flows, extracting AI pipeline designs, system prompts, tool credentials, and LLM execution traces.

AML.T0036

Pipeline Sabotage

Adversary deletes persisted vertex build data for targeted flows, causing silent production pipeline failures without needing elevated privileges.

AML.T0101

Initial Access

Adversary authenticates to the Langflow instance with any valid low-privilege user account obtained via credential stuffing, phishing, or insider access.

AML.T0012

Flow ID Enumeration

Adversary observes their own flow_id format in API requests and iterates through UUID space or sequential identifiers to discover flow_ids belonging to other users.

AML.T0006

Data Exfiltration

Adversary reads transaction logs and vertex build data of target flows, extracting AI pipeline designs, system prompts, tool credentials, and LLM execution traces.

AML.T0036

Pipeline Sabotage

Adversary deletes persisted vertex build data for targeted flows, causing silent production pipeline failures without needing elevated privileges.

AML.T0101

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

5 steps

Upgrade Langflow OSS to a patched version per IBM security advisory at ibm.com/support/pages/node/7270886.
If immediate patching is not feasible, restrict Langflow to single-user or network-isolated deployments and block API access from untrusted networks at the perimeter.
Audit API access logs for flow_id enumeration patterns—sequential UUIDs or high-frequency requests to flow transaction log endpoints from a single account are indicators of active exploitation.
Review whether transaction logs or vertex build data contain embedded secrets (API keys, credentials) that may now require rotation.
Enforce network segmentation so only authorized internal users can reach the Langflow API surface.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Privacy Violation Auth Bypass Framework Agent AML.T0035 - AI Artifact Collection AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0085 - Data from AI Services AML.T0101 - Data Destruction via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 10 - Data and Data Governance

ISO 42001

Clause 6.1 - Actions to Address AI Risks Clause 8.4 - AI System Operation — Data Protection

NIST AI RMF

GOVERN 1.1 - AI Risk Policies and Accountability MANAGE 2.2 - AI Risk Treatment and Response

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-6542?

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a broken object-level authorization flaw (CWE-639) that lets any authenticated user read transaction logs and vertex build data—or delete that data—belonging to another user by simply supplying a different flow_id parameter. In multi-tenant Langflow deployments common across enterprise AI development platforms, this exposes proprietary AI pipeline designs, prompt chains, tool configurations, and LLM execution traces across tenant boundaries, representing meaningful IP theft and sabotage risk. With an EPSS percentile ranking in the top 92% of all CVEs and trivial exploitation requiring only a valid low-privilege account, the bar to abuse is effectively zero for any insider or post-compromise attacker. No public exploit exists and CISA classifies this as TRACK; organizations should apply the IBM patch per advisory 7270886 immediately and audit API access logs for anomalous flow_id enumeration patterns.

Is CVE-2026-6542 actively exploited?

No confirmed active exploitation of CVE-2026-6542 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6542?

1. Upgrade Langflow OSS to a patched version per IBM security advisory at ibm.com/support/pages/node/7270886. 2. If immediate patching is not feasible, restrict Langflow to single-user or network-isolated deployments and block API access from untrusted networks at the perimeter. 3. Audit API access logs for flow_id enumeration patterns—sequential UUIDs or high-frequency requests to flow transaction log endpoints from a single account are indicators of active exploitation. 4. Review whether transaction logs or vertex build data contain embedded secrets (API keys, credentials) that may now require rotation. 5. Enforce network segmentation so only authorized internal users can reach the Langflow API surface.

What systems are affected by CVE-2026-6542?

This vulnerability affects the following AI/ML architecture patterns: LLM workflow builders, Multi-tenant AI platforms, Agent frameworks, Visual AI pipeline editors.

What is the CVSS score for CVE-2026-6542?

CVE-2026-6542 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

LLM workflow buildersMulti-tenant AI platformsAgent frameworksVisual AI pipeline editors

MITRE ATLAS Techniques

AML.T0035 AI Artifact Collection

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

AML.T0085 Data from AI Services

AML.T0101 Data Destruction via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 10

ISO 42001: Clause 6.1, Clause 8.4

NIST AI RMF: GOVERN 1.1, MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.

Exploitation Scenario

An adversary with a standard Langflow user account—obtained via credential stuffing, phishing, or insider access—intercepts their own API request and observes the flow_id format. They then systematically enumerate adjacent UUIDs or use IDOR automation tooling against the flow transaction log and vertex build endpoints, iterating through other users' flow_ids with minimal effort. For each discovered flow, they extract vertex build data revealing the pipeline's system prompts, tool chains, API integrations, and LLM model configurations, effectively cloning a competitor's or colleague's AI product design. As a secondary action, they delete vertex build data for targeted flows, causing silent production failures that appear as application errors rather than security incidents.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

[Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
[Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.