CVE-2026-7664: Langflow auth bypass

CISO Take

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a critical authorization flaw in the Streamable MCP transport endpoint that allows any unauthenticated network attacker to access protected MCP project resources and execute MCP operations without credentials. The CVSS 9.8 score reflects the worst-case exploitability profile — no authentication, no user interaction, no special conditions — meaning any internet-exposed Langflow instance is trivially reachable by an unskilled attacker; the package also carries 56 prior CVEs, signaling a pattern of recurring security debt rather than an isolated incident. Langflow is widely deployed as an MCP orchestration layer in enterprise AI agent pipelines, so successful exploitation can grant an adversary full control over AI workflows, all connected tool calls, and the data transiting through them — including credentials stored in project configurations. Organizations should upgrade immediately per the IBM advisory at ibm.com/support/pages/node/7277243 and, as an interim control, restrict the MCP transport endpoint to authenticated internal networks or VPN.

Sources: NVD ibm.com ATLAS

What is the risk?

CRITICAL. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N is the most exploitable attack profile possible — remote, zero-click, zero-credential. The Streamable MCP transport endpoint is typically internet-facing by design in cloud and SaaS Langflow deployments. No public exploit or Nuclei scanner template is confirmed yet, so exploitation remains opportunistic, but the low complexity means any attacker with basic HTTP tooling can exploit it without AI/ML knowledge. The package risk score of 77/100 and 56 prior CVEs reinforce systemic quality concerns. Not yet in CISA KEV, but the characteristics — unauthenticated network access, full C/I/A impact — make KEV inclusion likely if active exploitation is observed.

How does the attack unfold?

Initial Access

Attacker identifies an internet-exposed Langflow instance and sends unauthenticated HTTP requests to the Streamable MCP transport endpoint, bypassing authorization enforcement entirely.

AML.T0049

Discovery

With unrestricted access granted by the vulnerable endpoint, attacker enumerates all MCP project resources — mapping tool definitions, connected system endpoints, data sources, and stored credentials.

AML.T0084

Execution

Attacker invokes MCP operations to trigger AI agent tool calls — executing code on connected interpreters, querying databases, reading files, or calling external APIs available to the agent.

AML.T0053

Impact

Attacker exfiltrates sensitive data from connected AI services and downstream systems, corrupts agent workflows, or uses harvested credentials for lateral movement beyond the Langflow deployment.

AML.T0086

Initial Access

Attacker identifies an internet-exposed Langflow instance and sends unauthenticated HTTP requests to the Streamable MCP transport endpoint, bypassing authorization enforcement entirely.

AML.T0049

Discovery

With unrestricted access granted by the vulnerable endpoint, attacker enumerates all MCP project resources — mapping tool definitions, connected system endpoints, data sources, and stored credentials.

AML.T0084

Execution

Attacker invokes MCP operations to trigger AI agent tool calls — executing code on connected interpreters, querying databases, reading files, or calling external APIs available to the agent.

AML.T0053

Impact

Attacker exfiltrates sensitive data from connected AI services and downstream systems, corrupts agent workflows, or uses harvested credentials for lateral movement beyond the Langflow deployment.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed yesterday 40% patched ~50d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade Langflow OSS beyond version 1.8.4 immediately per IBM advisory https://www.ibm.com/support/pages/node/7277243 — confirm the specific patched version with IBM before deploying.
ISOLATE

If patching is not immediately possible, restrict the Streamable MCP transport endpoint (typically /api/v1/mcp or similar path) behind authentication middleware, a reverse proxy requiring valid credentials, or a network perimeter control (VPN, firewall allowlist).
DETECT

Audit web server access logs for unauthenticated requests to MCP transport paths — flag any requests without Authorization headers hitting /mcp endpoints, especially from external IPs. Alert on anomalous MCP operation volumes.
AUDIT EXPOSURE WINDOW

Treat any Langflow deployment that was internet-accessible during the vulnerable period as fully compromised — review what MCP operations were executed and which resources were accessed.
ROTATE CREDENTIALS

Rotate all API keys, database credentials, and secrets referenced in Langflow MCP project configurations, as these must be assumed exfiltrated.

How is it classified?

Auth Bypass Code Execution Data Extraction Framework Agent AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk treatment

NIST AI RMF

GOVERN 1.1 - Policies and procedures for AI risk management

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-7664?

IBM Langflow OSS versions 1.0.0 through 1.8.4 contain a critical authorization flaw in the Streamable MCP transport endpoint that allows any unauthenticated network attacker to access protected MCP project resources and execute MCP operations without credentials. The CVSS 9.8 score reflects the worst-case exploitability profile — no authentication, no user interaction, no special conditions — meaning any internet-exposed Langflow instance is trivially reachable by an unskilled attacker; the package also carries 56 prior CVEs, signaling a pattern of recurring security debt rather than an isolated incident. Langflow is widely deployed as an MCP orchestration layer in enterprise AI agent pipelines, so successful exploitation can grant an adversary full control over AI workflows, all connected tool calls, and the data transiting through them — including credentials stored in project configurations. Organizations should upgrade immediately per the IBM advisory at ibm.com/support/pages/node/7277243 and, as an interim control, restrict the MCP transport endpoint to authenticated internal networks or VPN.

Is CVE-2026-7664 actively exploited?

No confirmed active exploitation of CVE-2026-7664 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7664?

1. PATCH: Upgrade Langflow OSS beyond version 1.8.4 immediately per IBM advisory https://www.ibm.com/support/pages/node/7277243 — confirm the specific patched version with IBM before deploying. 2. ISOLATE: If patching is not immediately possible, restrict the Streamable MCP transport endpoint (typically /api/v1/mcp or similar path) behind authentication middleware, a reverse proxy requiring valid credentials, or a network perimeter control (VPN, firewall allowlist). 3. DETECT: Audit web server access logs for unauthenticated requests to MCP transport paths — flag any requests without Authorization headers hitting /mcp endpoints, especially from external IPs. Alert on anomalous MCP operation volumes. 4. AUDIT EXPOSURE WINDOW: Treat any Langflow deployment that was internet-accessible during the vulnerable period as fully compromised — review what MCP operations were executed and which resources were accessed. 5. ROTATE CREDENTIALS: Rotate all API keys, database credentials, and secrets referenced in Langflow MCP project configurations, as these must be assumed exfiltrated.

What systems are affected by CVE-2026-7664?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM orchestration pipelines, MCP-connected tool servers, RAG pipelines, Agentic workflows with external tool access.

What is the CVSS score for CVE-2026-7664?

CVE-2026-7664 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM orchestration pipelinesMCP-connected tool serversRAG pipelinesAgentic workflows with external tool access

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0084 Discover AI Agent Configuration

AML.T0085 Data from AI Services

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Exploitation Scenario

An adversary scans internet-facing hosts for Langflow instances on default ports (7860/TCP or behind common reverse proxies). Upon identifying a target running a vulnerable version, they send unauthenticated HTTP POST requests directly to the Streamable MCP transport endpoint. With authorization enforcement absent, the server returns MCP project resource listings — exposing tool definitions, connected endpoints, data source configurations, and stored secrets. The attacker then issues MCP operation commands to invoke available tools: querying connected databases, executing code via code interpreter tools, reading files from connected storage, or calling external APIs using harvested credentials. In an enterprise agentic deployment, this single unauthenticated endpoint provides a pivot point to every system the Langflow agent has tool access to, enabling full lateral movement without ever needing to compromise the underlying host directly.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary CWE-287 Improper Authentication

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.