CVE-2026-6599: Langflow MCP config injection

Q: Is CVE-2026-6599 actively exploited?

No confirmed active exploitation of CVE-2026-6599 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-6599?

1. PATCH: No official patch available — monitor Langflow releases actively and upgrade immediately when a fixed version is published. 2. IMMEDIATE WORKAROUND: Configure reverse proxy or WAF to strip and normalize X-Forwarded-For headers before they reach Langflow, preventing header injection into get_client_ip. 3. RESTRICT ENDPOINT: If MCP integration is not actively required, disable or block access to /api/v1/mcp_projects endpoints at the network layer. 4. NETWORK SEGMENTATION: Restrict Langflow API access to trusted internal networks and avoid exposing MCP configuration endpoints to the public internet or untrusted users. 5. AUDIT: Immediately review existing MCP server registrations in all Langflow deployments for unauthorized or unexpected external host entries. 6. MONITOR: Enable structured logging on Langflow API endpoints; alert on anomalous X-Forwarded-For header values and unexpected changes to MCP configuration.

Q: What systems are affected by CVE-2026-6599?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, MCP-connected AI agents, LLM orchestration pipelines, Visual AI workflow builders, Multi-tool agentic applications.

Q: What is the CVSS score for CVE-2026-6599?

CVE-2026-6599 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.23%.

CISO Take

CVE-2026-6599 is an injection vulnerability in Langflow's Model Context Protocol configuration API where the X-Forwarded-For header is not properly sanitized in the get_client_ip/install_mcp_config functions, enabling any low-privilege authenticated user to inject malicious input into MCP server configuration logic. Despite the medium CVSS score of 6.3, this sits in the top 86th EPSS percentile and the CVE description confirms a public exploit exists via GitHub gist — critically, the vendor has not responded and no patch exists for versions up to 1.8.3. The MCP attack surface is particularly high-stakes: a successful injection could register an adversary-controlled MCP server, turning every AI agent in the Langflow deployment into an unwitting executor of attacker-crafted tool responses. Immediate action should include WAF rules stripping or normalizing X-Forwarded-For headers before reaching Langflow, restricting MCP configuration API endpoints to trusted networks, and auditing existing MCP server registrations for unauthorized entries.

Sources: NVD EPSS ATLAS GitHub Advisory

What is the risk?

Risk is elevated beyond the medium CVSS rating due to the combination of no available patch for affected versions, a public PoC exploit, TRACK_STAR SSVC classification, and the strategic position of the MCP configuration API as a trust boundary between AI agents and external tools. Low privileges required (PR:L) means any authenticated Langflow user — including developers and contributors in shared environments — can attempt exploitation, significantly expanding the attack surface in multi-tenant deployments. The package carries a risk score of 77/100 with 40 known CVEs, indicating a persistent pattern of security deficiencies. For organizations running Langflow as their primary AI agent builder, this represents a structural risk to the entire agentic workflow layer.

How does the attack unfold?

Initial Access

Authenticated low-privilege attacker sends a crafted HTTP request to the Langflow MCP configuration API with a manipulated X-Forwarded-For header containing an injection payload

AML.T0049

Exploitation

Improper neutralization in get_client_ip processes the malicious header value, bypassing IP-based access controls or injecting attacker-controlled data into the MCP server registration logic

Persistence

Attacker registers an adversary-controlled MCP server URL in Langflow's configuration, which persists in the database and affects all subsequent agent sessions

AML.T0081

Impact

AI agents invoking MCP tools connect to the rogue server, exposing them to crafted tool responses, prompt injections, context exfiltration, and unauthorized actions within the agent's permission scope

AML.T0053

Initial Access

Authenticated low-privilege attacker sends a crafted HTTP request to the Langflow MCP configuration API with a manipulated X-Forwarded-For header containing an injection payload

AML.T0049

Exploitation

Improper neutralization in get_client_ip processes the malicious header value, bypassing IP-based access controls or injecting attacker-controlled data into the MCP server registration logic

Persistence

Attacker registers an adversary-controlled MCP server URL in Langflow's configuration, which persists in the database and affects all subsequent agent sessions

AML.T0081

Impact

AI agents invoking MCP tools connect to the rogue server, exposing them to crafted tool responses, prompt injections, context exfiltration, and unauthorized actions within the agent's permission scope

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	<= 1.8.3	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.3 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 14% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

6 steps

PATCH

No official patch available — monitor Langflow releases actively and upgrade immediately when a fixed version is published.
IMMEDIATE WORKAROUND

Configure reverse proxy or WAF to strip and normalize X-Forwarded-For headers before they reach Langflow, preventing header injection into get_client_ip.
RESTRICT ENDPOINT

If MCP integration is not actively required, disable or block access to /api/v1/mcp_projects endpoints at the network layer.
NETWORK SEGMENTATION

Restrict Langflow API access to trusted internal networks and avoid exposing MCP configuration endpoints to the public internet or untrusted users.
AUDIT

Immediately review existing MCP server registrations in all Langflow deployments for unauthorized or unexpected external host entries.
MONITOR

Enable structured logging on Langflow API endpoints; alert on anomalous X-Forwarded-For header values and unexpected changes to MCP configuration.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Code Execution Supply Chain Framework Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0081 - Modify AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.4 - Mechanisms to sustain oversight of deployed AI systems

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage

Frequently Asked Questions

What is CVE-2026-6599?

CVE-2026-6599 is an injection vulnerability in Langflow's Model Context Protocol configuration API where the X-Forwarded-For header is not properly sanitized in the get_client_ip/install_mcp_config functions, enabling any low-privilege authenticated user to inject malicious input into MCP server configuration logic. Despite the medium CVSS score of 6.3, this sits in the top 86th EPSS percentile and the CVE description confirms a public exploit exists via GitHub gist — critically, the vendor has not responded and no patch exists for versions up to 1.8.3. The MCP attack surface is particularly high-stakes: a successful injection could register an adversary-controlled MCP server, turning every AI agent in the Langflow deployment into an unwitting executor of attacker-crafted tool responses. Immediate action should include WAF rules stripping or normalizing X-Forwarded-For headers before reaching Langflow, restricting MCP configuration API endpoints to trusted networks, and auditing existing MCP server registrations for unauthorized entries.

Is CVE-2026-6599 actively exploited?

No confirmed active exploitation of CVE-2026-6599 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6599?

1. PATCH: No official patch available — monitor Langflow releases actively and upgrade immediately when a fixed version is published. 2. IMMEDIATE WORKAROUND: Configure reverse proxy or WAF to strip and normalize X-Forwarded-For headers before they reach Langflow, preventing header injection into get_client_ip. 3. RESTRICT ENDPOINT: If MCP integration is not actively required, disable or block access to /api/v1/mcp_projects endpoints at the network layer. 4. NETWORK SEGMENTATION: Restrict Langflow API access to trusted internal networks and avoid exposing MCP configuration endpoints to the public internet or untrusted users. 5. AUDIT: Immediately review existing MCP server registrations in all Langflow deployments for unauthorized or unexpected external host entries. 6. MONITOR: Enable structured logging on Langflow API endpoints; alert on anomalous X-Forwarded-For header values and unexpected changes to MCP configuration.

What systems are affected by CVE-2026-6599?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, MCP-connected AI agents, LLM orchestration pipelines, Visual AI workflow builders, Multi-tool agentic applications.

What is the CVSS score for CVE-2026-6599?

CVE-2026-6599 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksMCP-connected AI agentsLLM orchestration pipelinesVisual AI workflow buildersMulti-tool agentic applications

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with a low-privilege Langflow account — such as a developer with basic platform access — crafts an API request to the install_mcp_config endpoint containing a manipulated X-Forwarded-For header with an injection payload. Exploiting the improper neutralization in get_client_ip, the attacker either bypasses IP-based access restrictions to access privileged configuration features or injects a malicious MCP server URL into the agent's tool configuration. Once the rogue MCP server is registered, any AI agent in Langflow invoking MCP tools will establish a connection to the attacker's controlled server. The attacker's server returns crafted tool responses embedding prompt injections, exfiltrates sensitive data passed through agent context windows, or instructs the agent to execute destructive or unauthorized operations against systems the agent has legitimate access to.

Weaknesses (CWE)

CWE-707 Improper Neutralization Primary CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Primary

CWE-707 — Improper Neutralization: The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.

Source: MITRE CWE corpus.