CVE-2026-8505: Langflow: webhook auth bypass enables unauth RCE
CRITICALLangflow's webhook endpoint skips API key validation whenever WEBHOOK_AUTH_ENABLE is left at its default value of False, so any remote attacker who simply learns a flow's UUID can trigger that flow's execution with the privileges of its owner. Because Langflow flows routinely wire together code nodes, shell components, and external tool calls, triggering a flow amounts to remote code execution on the host — and this requires no credentials, no user interaction, and only network access (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). There is no EPSS data or public exploit/scanner coverage yet and it is not in CISA KEV, but the flaw is trivial to weaponize once a flow UUID leaks via logs, share links, referrer headers, or brute-force enumeration, and any internet-facing Langflow deployment running the default config is exposed today. Treat this as a P1: upgrade past 1.10.0 the moment IBM ships a fix, and in the meantime explicitly set WEBHOOK_AUTH_ENABLE=True and require API keys on every webhook, take internet-facing Langflow instances off the public internet or place them behind a reverse proxy/VPN with authentication, and audit access logs for webhook calls without valid API keys or from unfamiliar IPs.
What is the risk?
Critical. The combination of no authentication requirement, no user interaction, network-level access, and a default (insecure) configuration means the practical exploitability is very high despite the absence of a confirmed public exploit or KEV listing — this is a textbook 'insecure by default' flaw that automated scanners will find quickly once weaponized. Impact is full compromise of confidentiality, integrity, and availability (CVSS Impact C:H/I:H/A:H) because flow execution in Langflow can run arbitrary code paths, not just data queries. Any organization running Langflow OSS 1.0.0–1.10.0 with WEBHOOK_AUTH_ENABLE unset (the common case, since it's the default) should treat exposed instances as compromised-until-proven-otherwise.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix (track the referenced IBM support advisory). 2) Immediate workaround: explicitly set WEBHOOK_AUTH_ENABLE=True in the deployment configuration and enforce API key validation on all webhook-triggered flows — do not rely on the default. 3) Network hardening: remove Langflow instances from direct internet exposure; place them behind authenticated reverse proxies, VPNs, or IP allowlists. 4) Rotate and treat flow UUIDs as sensitive: avoid leaking them in logs, URLs, or client-side code, and rotate/recreate flows suspected of exposure. 5) Detection: audit webhook access logs for execution requests lacking valid API keys, unexpected source IPs, or execution of high-privilege flows outside normal business hours.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8505?
Langflow's webhook endpoint skips API key validation whenever WEBHOOK_AUTH_ENABLE is left at its default value of False, so any remote attacker who simply learns a flow's UUID can trigger that flow's execution with the privileges of its owner. Because Langflow flows routinely wire together code nodes, shell components, and external tool calls, triggering a flow amounts to remote code execution on the host — and this requires no credentials, no user interaction, and only network access (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). There is no EPSS data or public exploit/scanner coverage yet and it is not in CISA KEV, but the flaw is trivial to weaponize once a flow UUID leaks via logs, share links, referrer headers, or brute-force enumeration, and any internet-facing Langflow deployment running the default config is exposed today. Treat this as a P1: upgrade past 1.10.0 the moment IBM ships a fix, and in the meantime explicitly set WEBHOOK_AUTH_ENABLE=True and require API keys on every webhook, take internet-facing Langflow instances off the public internet or place them behind a reverse proxy/VPN with authentication, and audit access logs for webhook calls without valid API keys or from unfamiliar IPs.
Is CVE-2026-8505 actively exploited?
No confirmed active exploitation of CVE-2026-8505 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8505?
1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix (track the referenced IBM support advisory). 2) Immediate workaround: explicitly set WEBHOOK_AUTH_ENABLE=True in the deployment configuration and enforce API key validation on all webhook-triggered flows — do not rely on the default. 3) Network hardening: remove Langflow instances from direct internet exposure; place them behind authenticated reverse proxies, VPNs, or IP allowlists. 4) Rotate and treat flow UUIDs as sensitive: avoid leaking them in logs, URLs, or client-side code, and rotate/recreate flows suspected of exposure. 5) Detection: audit webhook access logs for execution requests lacking valid API keys, unexpected source IPs, or execution of high-privilege flows outside normal business hours.
What systems are affected by CVE-2026-8505?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines.
What is the CVSS score for CVE-2026-8505?
CVE-2026-8505 has a CVSS v3.1 base score of 9.8 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0006 Active Scanning AML.T0049 Exploit Public-Facing Application AML.T0112 Machine Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE).
Exploitation Scenario
An attacker scans the internet or reviews leaked documentation/logs/GitHub issues to find an exposed Langflow instance and a valid flow UUID (e.g., from a shared demo link, a misconfigured proxy, or a public repo referencing the endpoint). They send an unauthenticated POST request to the instance's webhook endpoint referencing that UUID. Because WEBHOOK_AUTH_ENABLE defaults to False, Langflow skips API key checks and executes the flow as if the legitimate owner triggered it. If the flow contains a code-execution node, shell wrapper, or a tool with filesystem/network access, the attacker achieves remote code execution on the underlying host, enabling data exfiltration from connected RAG/vector stores, credential theft, or lateral movement into the broader environment.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow