CVE-2026-9103: Langflow: unauth request grants superuser token

CRITICAL
Published July 17, 2026
CISO Take

IBM Langflow's /api/v1/login/auto_login endpoint hands out long-lived superuser bearer tokens to anyone who asks, no credentials required, because the AUTO_LOGIN setting is enabled by default in every OSS deployment from 1.0.0 to 1.10.0. Any network attacker who can reach the instance gets full administrative control over the platform in a single unauthenticated request (CVSS 9.8, AV:N/AC:L/PR:N/UI:N), and permissive CORS settings compound the exposure by letting those tokens leak to untrusted origins in browser-based attacks. This is not a novel AI attack technique — it's a textbook broken-authentication bug (CWE-306) sitting in front of an AI orchestration platform that typically holds embedded LLM API keys, connected data sources, and executable agent flows. There is no EPSS or KEV signal yet since this was just published, but the trivial exploitability and default-on misconfiguration make it a prime target for opportunistic internet scanning. Patch to a fixed IBM Langflow release immediately, or at minimum set AUTO_LOGIN=false and take internet-facing instances off public exposure until patched, then rotate any credentials stored in Langflow flows and lock down CORS to trusted origins.

Sources: NVD ATLAS ibm.com

What is the risk?

Critical. Exploitation requires no authentication, no user interaction, and low complexity — a single crafted HTTP request to a known endpoint yields a superuser token. Because AUTO_LOGIN is enabled by default, most out-of-the-box Langflow deployments are vulnerable unless an operator explicitly disabled it. Combined with permissive CORS, the flaw also enables token theft via malicious web content against admins browsing while authenticated. The absence of a public exploit or Nuclei template today does not reduce urgency: the endpoint and behavior are now public knowledge in the advisory, and mass scanning for exposed Langflow instances is a realistic near-term threat given the framework's popularity for building AI agents and RAG pipelines.

How does the attack unfold?

Initial Access
Attacker sends an unauthenticated request to the public-facing /api/v1/login/auto_login endpoint on an internet-exposed Langflow instance.
AML.T0049
Credential Access
The endpoint issues a long-lived superuser bearer token without any credential verification because AUTO_LOGIN is enabled by default.
AML.T0091.000
Privilege Abuse
Attacker uses the superuser token to access admin APIs, enumerate flows, and extract embedded LLM/API credentials.
AML.T0084
Impact
Attacker modifies agent flows to add code-execution components or exfiltrates data, achieving full compromise of the Langflow instance and connected systems.
AML.T0081

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 33% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

1 step
  1. 1) Upgrade to the IBM-patched Langflow release referenced in the vendor advisory (https://www.ibm.com/support/pages/node/7278926) as soon as it is available. 2) Immediately set AUTO_LOGIN=false in any internet-facing or otherwise untrusted-network deployment — this closes the unauthenticated token issuance path even before patching. 3) Restrict network exposure of the Langflow admin/API surface to trusted internal networks or VPN; do not expose it directly to the internet. 4) Tighten CORS configuration to an explicit allowlist of trusted origins rather than wildcard/permissive settings. 5) Rotate all credentials and API keys stored within Langflow flows, since any prior exposure window may already have leaked a superuser token. 6) Detection: audit access logs for calls to /api/v1/login/auto_login from unexpected source IPs, and review admin-level actions (flow edits, user/API-key creation) for anomalies in the affected window.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Security of AI systems
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-9103?

IBM Langflow's /api/v1/login/auto_login endpoint hands out long-lived superuser bearer tokens to anyone who asks, no credentials required, because the AUTO_LOGIN setting is enabled by default in every OSS deployment from 1.0.0 to 1.10.0. Any network attacker who can reach the instance gets full administrative control over the platform in a single unauthenticated request (CVSS 9.8, AV:N/AC:L/PR:N/UI:N), and permissive CORS settings compound the exposure by letting those tokens leak to untrusted origins in browser-based attacks. This is not a novel AI attack technique — it's a textbook broken-authentication bug (CWE-306) sitting in front of an AI orchestration platform that typically holds embedded LLM API keys, connected data sources, and executable agent flows. There is no EPSS or KEV signal yet since this was just published, but the trivial exploitability and default-on misconfiguration make it a prime target for opportunistic internet scanning. Patch to a fixed IBM Langflow release immediately, or at minimum set AUTO_LOGIN=false and take internet-facing instances off public exposure until patched, then rotate any credentials stored in Langflow flows and lock down CORS to trusted origins.

Is CVE-2026-9103 actively exploited?

No confirmed active exploitation of CVE-2026-9103 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9103?

1) Upgrade to the IBM-patched Langflow release referenced in the vendor advisory (https://www.ibm.com/support/pages/node/7278926) as soon as it is available. 2) Immediately set AUTO_LOGIN=false in any internet-facing or otherwise untrusted-network deployment — this closes the unauthenticated token issuance path even before patching. 3) Restrict network exposure of the Langflow admin/API surface to trusted internal networks or VPN; do not expose it directly to the internet. 4) Tighten CORS configuration to an explicit allowlist of trusted origins rather than wildcard/permissive settings. 5) Rotate all credentials and API keys stored within Langflow flows, since any prior exposure window may already have leaked a superuser token. 6) Detection: audit access logs for calls to /api/v1/login/auto_login from unexpected source IPs, and review admin-level actions (flow edits, user/API-key creation) for anomalies in the affected window.

What systems are affected by CVE-2026-9103?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, LLM orchestration/framework platforms.

What is the CVSS score for CVE-2026-9103?

CVE-2026-9103 has a CVSS v3.1 base score of 9.8 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinesLLM orchestration/framework platforms

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0081 Modify AI Agent Configuration
AML.T0084 Discover AI Agent Configuration
AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access.

Exploitation Scenario

An attacker scans the internet for exposed Langflow instances (default ports, common self-hosted deployment patterns) and sends a single unauthenticated GET/POST to /api/v1/login/auto_login. Because AUTO_LOGIN is on by default, the server responds with a valid, long-lived superuser bearer token with no credential check. The attacker uses that token to authenticate to the admin API, enumerate all configured flows, and extract embedded LLM provider API keys and connected data-source credentials. With superuser access, they modify an existing agent flow to add a code-execution or shell component, achieving remote code execution on the host and pivoting into connected cloud services or internal networks reachable from the Langflow server.

Weaknesses (CWE)

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

  • [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities