CVE-2026-7787: Langflow IDOR bypasses auth, exposes

CISO Take

IBM Langflow OSS versions 1.0.0 through 1.9.1 contain an insecure direct object reference flaw (CWE-639) that allows authenticated users to access or modify resources belonging to other users by manipulating object identifiers in API requests. With a CVSS score of 7.5 (High), network-accessible, low complexity, and no user interaction required, this is straightforward to exploit in any multi-user or shared Langflow deployment — and the real blast radius extends well beyond Langflow itself, since the platform stores embedded LLM API keys for providers like OpenAI and Anthropic inside user flow configurations. No public exploit or CISA KEV listing exists as of this writing, but the trivial exploitation complexity and high confidentiality impact mean that any internet-facing or multi-tenant Langflow instance should be treated as compromised until patched. Upgrade beyond version 1.9.1 immediately; if patching is not possible, restrict access to single-user or isolated network environments and rotate all LLM provider API keys stored within Langflow configurations.

Sources: NVD ATLAS ibm.com

What is the risk?

High risk for any multi-user or shared Langflow deployment. The network-accessible attack vector with low complexity, no privileges required (per CVSS vector), and no user interaction makes exploitation reliable and scriptable. The primary risk multiplier is that Langflow acts as a credential store for downstream LLM provider accounts — successful IDOR exploitation can cascade into unauthorized access to production OpenAI, Anthropic, or Azure OpenAI accounts, potentially enabling data exfiltration via LLM inference APIs and significant billing fraud. Single-user, network-isolated deployments have substantially reduced exposure.

How does the attack unfold?

Initial Access

Attacker obtains any valid authenticated session on a shared Langflow instance via self-registration, credential stuffing, or phishing of a low-privilege user.

AML.T0012

IDOR Exploitation

Attacker manipulates flow, user, or resource object identifiers in Langflow API requests to enumerate and access objects belonging to other authenticated users.

AML.T0049

Credential Harvesting

Attacker reads enumerated flow configurations and agent settings from other users, extracting embedded LLM provider API keys and sensitive pipeline data stored within Langflow objects.

AML.T0083

AI Infrastructure Abuse

Attacker uses harvested LLM provider credentials to make unauthorized inference API calls, exfiltrate data from victim AI pipelines, or run expensive workloads billed to the victim's account.

AML.T0040

Initial Access

Attacker obtains any valid authenticated session on a shared Langflow instance via self-registration, credential stuffing, or phishing of a low-privilege user.

AML.T0012

IDOR Exploitation

Attacker manipulates flow, user, or resource object identifiers in Langflow API requests to enumerate and access objects belonging to other authenticated users.

AML.T0049

Credential Harvesting

Attacker reads enumerated flow configurations and agent settings from other users, extracting embedded LLM provider API keys and sensitive pipeline data stored within Langflow objects.

AML.T0083

AI Infrastructure Abuse

Attacker uses harvested LLM provider credentials to make unauthorized inference API calls, exfiltrate data from victim AI pipelines, or run expensive workloads billed to the victim's account.

AML.T0040

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.3K Pushed 4d ago 33% patched ~68d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Upgrade IBM Langflow OSS to a fixed version beyond 1.9.1 as the primary remediation.
If immediate patching is not feasible, restrict Langflow to single-user mode or place it behind a VPN or IP allowlist to eliminate network-level exposure.
Rotate all LLM provider API keys (OpenAI, Anthropic, Azure OpenAI, etc.) stored in Langflow flow configurations as a precautionary measure, treating them as potentially compromised in any multi-user deployment on affected versions.
Audit access logs for anomalous patterns indicating object ID enumeration — look for sequential or high-volume requests to flow or user resource endpoints with varying IDs from a single authenticated session.
Implement object-level authorization checks at the application layer and conduct a code review of all API endpoints that accept user-supplied resource identifiers.

How is it classified?

Auth Bypass Data Extraction Framework Agent AML.T0012 - Valid Accounts AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1 - AI System Access Control

NIST AI RMF

GOVERN 1.7 - Processes for AI Risk Management

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-7787?

IBM Langflow OSS versions 1.0.0 through 1.9.1 contain an insecure direct object reference flaw (CWE-639) that allows authenticated users to access or modify resources belonging to other users by manipulating object identifiers in API requests. With a CVSS score of 7.5 (High), network-accessible, low complexity, and no user interaction required, this is straightforward to exploit in any multi-user or shared Langflow deployment — and the real blast radius extends well beyond Langflow itself, since the platform stores embedded LLM API keys for providers like OpenAI and Anthropic inside user flow configurations. No public exploit or CISA KEV listing exists as of this writing, but the trivial exploitation complexity and high confidentiality impact mean that any internet-facing or multi-tenant Langflow instance should be treated as compromised until patched. Upgrade beyond version 1.9.1 immediately; if patching is not possible, restrict access to single-user or isolated network environments and rotate all LLM provider API keys stored within Langflow configurations.

Is CVE-2026-7787 actively exploited?

No confirmed active exploitation of CVE-2026-7787 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-7787?

1. Upgrade IBM Langflow OSS to a fixed version beyond 1.9.1 as the primary remediation. 2. If immediate patching is not feasible, restrict Langflow to single-user mode or place it behind a VPN or IP allowlist to eliminate network-level exposure. 3. Rotate all LLM provider API keys (OpenAI, Anthropic, Azure OpenAI, etc.) stored in Langflow flow configurations as a precautionary measure, treating them as potentially compromised in any multi-user deployment on affected versions. 4. Audit access logs for anomalous patterns indicating object ID enumeration — look for sequential or high-volume requests to flow or user resource endpoints with varying IDs from a single authenticated session. 5. Implement object-level authorization checks at the application layer and conduct a code review of all API endpoints that accept user-supplied resource identifiers.

What systems are affected by CVE-2026-7787?

This vulnerability affects the following AI/ML architecture patterns: LLM application builders, Agent frameworks, Multi-user AI development platforms, AI pipeline orchestration.

What is the CVSS score for CVE-2026-7787?

CVE-2026-7787 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM application buildersAgent frameworksMulti-user AI development platformsAI pipeline orchestration

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1

NIST AI RMF: GOVERN 1.7

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.9.1 could allow an authenticated user to read or modify sensitive information by bypassing authentication using insecure direct object references.

Exploitation Scenario

An attacker registers a legitimate low-privilege account on a shared Langflow instance or obtains credentials via credential stuffing against exposed instances. Using an authenticated session, the attacker crafts API requests to Langflow's flow management endpoints, iterating through numeric or UUID-based object IDs to retrieve other users' flow objects. Within minutes, they enumerate dozens of flow configurations belonging to other tenants and extract embedded OpenAI or Anthropic API keys stored in those pipelines. The attacker then uses those keys to make unauthorized LLM inference calls — either to exfiltrate sensitive data fed into the victim's AI pipelines, to run expensive workloads billed to the victim's account, or to pivot into broader cloud infrastructure if the extracted keys have broader scope than LLM-only access.