HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7663Published Modified CNA ibm

CVE-2026-7663: Unauthenticated Cross-User MCP Resource Access and Tool Execution via Streamable Transport Authorization Bypass

IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability in IBM Langflow OSS (versions 1.0.0 through 1.9.6) allows unauthenticated remote attackers to reach the Streamable MCP transport endpoint without presenting credentials. The flaw stems from improper authorization enforcement on that endpoint, meaning any attacker who can reach the service over the network can access protected MCP project resources and execute MCP operations across user accounts. Successful exploitation gives an attacker full read and write access to MCP resources, enabling cross-user data disclosure and unauthorized tool execution. No upstream fix is published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-7663 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle IBM Langflow OSS at any affected version up to 1.9.6.

Available
Triage

Triage is available with the CVSS 3.1 score of 9.1 (Critical) surfaced automatically; per-environment compliance policy weighting is applied to prioritize or suppress the finding, and routing to the appropriate team inbox within each customer organization is supported out of the box.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment IBM publishes a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered automatically as soon as a fix version is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Langflow OSS service over the network; the vulnerable Streamable MCP transport endpoint is exposed via standard HTTP, making any internet- or intranet-facing deployment a viable target.

  • AuthenticationNot required

    No credentials or account are needed; the authorization check on the affected endpoint is entirely absent, so an anonymous request is sufficient to access protected resources.

  • Victim interactionNot required

    No user action is required; the attacker sends requests directly to the endpoint without needing to trick or involve any legitimate user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free, requiring no race conditions, memory layout knowledge, or other environmental prerequisites beyond network access.

Blast Radius

  • Reads protected MCP project resources belonging to any user, including configuration data, stored prompts, and project-scoped secrets.
  • Executes MCP operations on behalf of other users, allowing the attacker to invoke tools and workflows they do not own or have permission to use.
  • Performs cross-user data access at scale, since the single unauthenticated endpoint exposes resources across all projects on the instance.
  • Availability is not directly impacted per the CVSS vector, but unauthorized tool execution may produce side effects such as triggering downstream API calls or consuming rate-limited resources.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-7663 advisory is active, with re-evaluation on every feed ingest cycle so that a patched-image rebuild becomes available automatically the moment IBM publishes a fix for Langflow OSS. Because no fix exists today, customers running affected versions (1.0.0 through 1.9.6) should consider compensating controls in the interim: network-policy isolation to restrict inbound access to the Streamable MCP transport endpoint to trusted IP ranges only; egress filtering to limit what the Langflow service can reach if an attacker does execute MCP operations; and, where the deployment model permits, feature-flag or configuration-level disabling of the Streamable MCP transport until an upstream patch is available. Where compliance policy permits auto-remediation, the full rebuild, regression run, and PR flow will trigger automatically as soon as a fix version is published upstream.

See how HarborGuard automates this
Affected packages
  • IBM / Langflow OSS
    ≤ 1.9.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References