CVE-2026-8505: Langflow: webhook auth bypass enables unauth RCE

CRITICAL
Published July 17, 2026
CISO Take

Langflow's webhook endpoint skips API key validation whenever WEBHOOK_AUTH_ENABLE is left at its default value of False, so any remote attacker who simply learns a flow's UUID can trigger that flow's execution with the privileges of its owner. Because Langflow flows routinely wire together code nodes, shell components, and external tool calls, triggering a flow amounts to remote code execution on the host — and this requires no credentials, no user interaction, and only network access (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). There is no EPSS data or public exploit/scanner coverage yet and it is not in CISA KEV, but the flaw is trivial to weaponize once a flow UUID leaks via logs, share links, referrer headers, or brute-force enumeration, and any internet-facing Langflow deployment running the default config is exposed today. Treat this as a P1: upgrade past 1.10.0 the moment IBM ships a fix, and in the meantime explicitly set WEBHOOK_AUTH_ENABLE=True and require API keys on every webhook, take internet-facing Langflow instances off the public internet or place them behind a reverse proxy/VPN with authentication, and audit access logs for webhook calls without valid API keys or from unfamiliar IPs.

Sources: NVD ibm.com ATLAS

What is the risk?

Critical. The combination of no authentication requirement, no user interaction, network-level access, and a default (insecure) configuration means the practical exploitability is very high despite the absence of a confirmed public exploit or KEV listing — this is a textbook 'insecure by default' flaw that automated scanners will find quickly once weaponized. Impact is full compromise of confidentiality, integrity, and availability (CVSS Impact C:H/I:H/A:H) because flow execution in Langflow can run arbitrary code paths, not just data queries. Any organization running Langflow OSS 1.0.0–1.10.0 with WEBHOOK_AUTH_ENABLE unset (the common case, since it's the default) should treat exposed instances as compromised-until-proven-otherwise.

How does the attack unfold?

Reconnaissance
Attacker locates an internet-facing Langflow instance and obtains or guesses a valid flow UUID (e.g., via leaked links, logs, or enumeration).
AML.T0006
Authentication Bypass
Attacker sends an unauthenticated request to the webhook endpoint referencing the flow UUID; Langflow skips API key validation because WEBHOOK_AUTH_ENABLE defaults to False.
AML.T0049
Flow Execution
The flow runs with the owner's privileges, executing any embedded code nodes, tool calls, or shell components defined in the flow.
Impact
Attacker achieves remote code execution on the Langflow host, enabling data theft, credential harvesting, or full system compromise.
AML.T0112

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. 1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix (track the referenced IBM support advisory). 2) Immediate workaround: explicitly set WEBHOOK_AUTH_ENABLE=True in the deployment configuration and enforce API key validation on all webhook-triggered flows — do not rely on the default. 3) Network hardening: remove Langflow instances from direct internet exposure; place them behind authenticated reverse proxies, VPNs, or IP allowlists. 4) Rotate and treat flow UUIDs as sensitive: avoid leaking them in logs, URLs, or client-side code, and rotate/recreate flows suspected of exposure. 5) Detection: audit webhook access logs for execution requests lacking valid API keys, unexpected source IPs, or execution of high-privilege flows outside normal business hours.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.8.2 - AI System Security Controls
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated
OWASP LLM Top 10
LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-8505?

Langflow's webhook endpoint skips API key validation whenever WEBHOOK_AUTH_ENABLE is left at its default value of False, so any remote attacker who simply learns a flow's UUID can trigger that flow's execution with the privileges of its owner. Because Langflow flows routinely wire together code nodes, shell components, and external tool calls, triggering a flow amounts to remote code execution on the host — and this requires no credentials, no user interaction, and only network access (CVSS 9.8, AV:N/AC:L/PR:N/UI:N). There is no EPSS data or public exploit/scanner coverage yet and it is not in CISA KEV, but the flaw is trivial to weaponize once a flow UUID leaks via logs, share links, referrer headers, or brute-force enumeration, and any internet-facing Langflow deployment running the default config is exposed today. Treat this as a P1: upgrade past 1.10.0 the moment IBM ships a fix, and in the meantime explicitly set WEBHOOK_AUTH_ENABLE=True and require API keys on every webhook, take internet-facing Langflow instances off the public internet or place them behind a reverse proxy/VPN with authentication, and audit access logs for webhook calls without valid API keys or from unfamiliar IPs.

Is CVE-2026-8505 actively exploited?

No confirmed active exploitation of CVE-2026-8505 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8505?

1) Patch: upgrade Langflow to a version beyond 1.10.0 once IBM/Langflow publishes a fix (track the referenced IBM support advisory). 2) Immediate workaround: explicitly set WEBHOOK_AUTH_ENABLE=True in the deployment configuration and enforce API key validation on all webhook-triggered flows — do not rely on the default. 3) Network hardening: remove Langflow instances from direct internet exposure; place them behind authenticated reverse proxies, VPNs, or IP allowlists. 4) Rotate and treat flow UUIDs as sensitive: avoid leaking them in logs, URLs, or client-side code, and rotate/recreate flows suspected of exposure. 5) Detection: audit webhook access logs for execution requests lacking valid API keys, unexpected source IPs, or execution of high-privilege flows outside normal business hours.

What systems are affected by CVE-2026-8505?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines.

What is the CVSS score for CVE-2026-8505?

CVE-2026-8505 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelines

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0049 Exploit Public-Facing Application
AML.T0112 Machine Compromise

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.8.2
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook authentication logic allows unauthenticated users to trigger the execution of any flow. The system incorrectly bypasses API key validation when the WEBHOOK_AUTH_ENABLE configuration is set to False (which is the default setting). This allows a remote attacker who knows a flow's UUID to execute it as if they were the owner, potentially leading to Remote Code Execution (RCE).

Exploitation Scenario

An attacker scans the internet or reviews leaked documentation/logs/GitHub issues to find an exposed Langflow instance and a valid flow UUID (e.g., from a shared demo link, a misconfigured proxy, or a public repo referencing the endpoint). They send an unauthenticated POST request to the instance's webhook endpoint referencing that UUID. Because WEBHOOK_AUTH_ENABLE defaults to False, Langflow skips API key checks and executes the flow as if the legitimate owner triggered it. If the flow contains a code-execution node, shell wrapper, or a tool with filesystem/network access, the attacker achieves remote code execution on the underlying host, enabling data exfiltration from connected RAG/vector stores, credential theft, or lateral movement into the broader environment.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities