CVE-2026-6600: Langflow stored XSS — LOW

CISO Take

CVE-2026-6600 is a cross-site scripting flaw in Langflow's chat message editing React component (edit-message.tsx), affecting all versions through 1.8.3, where an authenticated low-privilege user can inject malicious JavaScript that executes in the browsers of other users who view the tampered message. Although the CVSS score is a modest 3.5, the EPSS data places this at the 92nd percentile across all CVEs by exploitation likelihood, and a public proof-of-concept has already been published — the vendor did not respond to the disclosure, leaving no official patch timeline. In multi-user Langflow deployments, which are the norm in enterprise AI development environments where teams share pipelines and chat sessions, successful exploitation could enable session token theft, API key harvesting from the browser, or injection of adversarial content into shared AI workflows. Organizations running Langflow 1.8.3 or earlier should upgrade immediately, enforce strict Content Security Policy headers, and restrict instance exposure to trusted network segments only.

Sources: NVD EPSS CISA KEV ATLAS

What is the risk?

Despite a CVSS 3.1 score of 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N), the real-world risk profile is materially higher than the base score suggests. A public exploit exists, the EPSS percentile sits in the 92nd percentile, and the vendor has not acknowledged the disclosure — meaning no official patch or remediation guidance is forthcoming. The low privileges required (any authenticated user) expands the attacker pool in shared Langflow environments. SSVC decision of TRACK_STAR reflects ongoing monitoring need. CWE-94 alongside CWE-79 hints at possible code injection beyond classic XSS, which warrants closer scrutiny of the component's rendering logic. The absence of a KEV listing and no available scanner template moderates the immediate operational urgency.

How does the attack unfold?

Initial Access

Attacker obtains a low-privilege Langflow account via credential stuffing, phishing, or use of a shared team credential to authenticate to the target instance.

AML.T0012

Injection

Attacker edits a chat message in a shared Langflow session and injects a malicious JavaScript payload through the vulnerable edit-message.tsx React component.

AML.T0049

Execution

A higher-privilege user opens the shared chat session, the browser renders the tampered message, and the injected script executes silently in their authenticated context.

AML.T0011

Impact

The script exfiltrates session tokens and LLM API keys, enabling session hijacking and full unauthorized access to AI pipelines, workflow configurations, and connected AI service credentials.

AML.T0025

Initial Access

Attacker obtains a low-privilege Langflow account via credential stuffing, phishing, or use of a shared team credential to authenticate to the target instance.

AML.T0012

Injection

Attacker edits a chat message in a shared Langflow session and injects a malicious JavaScript payload through the vulnerable edit-message.tsx React component.

AML.T0049

Execution

A higher-privilege user opens the shared chat session, the browser renders the tampered message, and the injected script executes silently in their authenticated context.

AML.T0011

Impact

The script exfiltrates session tokens and LLM API keys, enabling session hijacking and full unauthorized access to AI pipelines, workflow configurations, and connected AI service credentials.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

3.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI Required

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Upgrade Langflow above version 1.8.3 — monitor the official GitHub repository for a patched release given the vendor's non-response to disclosure.
Implement a Content Security Policy header (script-src 'self') on the Langflow host to significantly limit XSS blast radius even if the payload fires.
Restrict Langflow instance access to internal networks or VPNs — do not expose the UI publicly.
Rotate any LLM API keys and OAuth tokens accessible from sessions on potentially affected instances.
If immediate upgrade is not possible, deploy a WAF rule to inspect and block script-containing payloads in the chat message edit API endpoint.
Enable egress monitoring on the Langflow host to detect unexpected outbound data exfiltration following potential XSS exploitation.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Framework Agent AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0077 - LLM Response Rendering

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.3 - Information security for AI systems

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Improper Output Handling

Frequently Asked Questions

What is CVE-2026-6600?

CVE-2026-6600 is a cross-site scripting flaw in Langflow's chat message editing React component (edit-message.tsx), affecting all versions through 1.8.3, where an authenticated low-privilege user can inject malicious JavaScript that executes in the browsers of other users who view the tampered message. Although the CVSS score is a modest 3.5, the EPSS data places this at the 92nd percentile across all CVEs by exploitation likelihood, and a public proof-of-concept has already been published — the vendor did not respond to the disclosure, leaving no official patch timeline. In multi-user Langflow deployments, which are the norm in enterprise AI development environments where teams share pipelines and chat sessions, successful exploitation could enable session token theft, API key harvesting from the browser, or injection of adversarial content into shared AI workflows. Organizations running Langflow 1.8.3 or earlier should upgrade immediately, enforce strict Content Security Policy headers, and restrict instance exposure to trusted network segments only.

Is CVE-2026-6600 actively exploited?

No confirmed active exploitation of CVE-2026-6600 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6600?

1. Upgrade Langflow above version 1.8.3 — monitor the official GitHub repository for a patched release given the vendor's non-response to disclosure. 2. Implement a Content Security Policy header (script-src 'self') on the Langflow host to significantly limit XSS blast radius even if the payload fires. 3. Restrict Langflow instance access to internal networks or VPNs — do not expose the UI publicly. 4. Rotate any LLM API keys and OAuth tokens accessible from sessions on potentially affected instances. 5. If immediate upgrade is not possible, deploy a WAF rule to inspect and block script-containing payloads in the chat message edit API endpoint. 6. Enable egress monitoring on the Langflow host to detect unexpected outbound data exfiltration following potential XSS exploitation.

What systems are affected by CVE-2026-6600?

This vulnerability affects the following AI/ML architecture patterns: LLM application builders, AI agent frameworks, Shared AI development environments, Multi-user LLM pipeline platforms.

What is the CVSS score for CVE-2026-6600?

CVE-2026-6600 has a CVSS v3.1 base score of 3.5 (LOW). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

LLM application buildersAI agent frameworksShared AI development environmentsMulti-user LLM pipeline platforms

MITRE ATLAS Techniques

AML.T0011 User Execution

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0077 LLM Response Rendering

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

A flaw has been found in langflow-ai langflow up to 1.8.3. This affects an unknown function of the file src/frontend/src/modals/IOModal/components/chatView/chatMessage/components/edit-message.tsx of the component Frontend React Component Rendering. Executing a manipulation can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An attacker with a low-privilege Langflow account — obtained via phishing, credential stuffing, or a shared team login — navigates to a shared chat session and edits a message, injecting a JavaScript payload (e.g., a fetch call that sends document.cookie to an attacker-controlled endpoint). When a team lead or administrator opens the chat session to review work, the browser renders the manipulated message and the script executes silently. The attacker captures the session token and authenticates as the privileged user, gaining full access to all Langflow pipelines, connected LLM API keys, and workflow configurations. In a worst-case scenario, the attacker modifies prompt templates across pipelines to include backdoored instructions or exfiltrates the entire workflow graph for competitive intelligence.

Weaknesses (CWE)

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
[Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.