How is CVE-2026-7664 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the Langflow MCP transport endpoint from any internet-accessible or internal network path. Authentication (not-required): No credentials of any kind are required; the flaw is an authorization bypass that allows completely unauthenticated requests to succeed. Victim interaction (not-required): The attacker sends requests directly to the service endpoint and does not need any user to click a link, open a file, or take any other action. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free with no need to win a race condition or depend on specific memory layout or environmental factors.

What is the impact of CVE-2026-7664?

Reads protected MCP project resources, including any data, model configurations, or credentials stored within reachable projects. Executes arbitrary MCP operations, allowing an attacker to invoke, modify, or delete workflows and pipeline components without restriction. Modifies or destroys persisted project state, corrupting Langflow flows or overwriting stored configurations. Disrupts availability of the Langflow service by triggering resource-exhausting or destructive MCP operations.

Back to search

CRITICALCVE-2026-7664Published 2026-06-22Modified 2026-06-23CNA ibm

CVE-2026-7664: Unauthenticated Flow Execution via Webhook Endpoint in Langflow OSS

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass vulnerability affects IBM Langflow OSS versions 1.0.0 through 1.8.4, allowing unauthenticated remote attackers to reach protected MCP (Model Context Protocol) project resources through the Streamable MCP transport endpoint. The flaw is reachable over the network with no credentials required and no user interaction needed. Successful exploitation grants an attacker full read, write, and availability impact over the affected service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle IBM Langflow OSS, in both registry scans and active pipeline checks.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and surfaces it with the highest priority routing. Per-environment compliance policy weighting is applied automatically, directing alerts to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published upstream. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fixed version the moment IBM publishes one. For customers with auto-remediation enabled, the rebuilt image, regression-test run, and a PR opened against affected workloads will follow automatically once an upstream fix exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to send HTTP requests to the Langflow MCP transport endpoint from any internet-accessible or internal network path.
AuthenticationNot required
No credentials of any kind are required; the flaw is an authorization bypass that allows completely unauthenticated requests to succeed.
Victim interactionNot required
The attacker sends requests directly to the service endpoint and does not need any user to click a link, open a file, or take any other action.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free with no need to win a race condition or depend on specific memory layout or environmental factors.

Blast Radius

Reads protected MCP project resources, including any data, model configurations, or credentials stored within reachable projects.
Executes arbitrary MCP operations, allowing an attacker to invoke, modify, or delete workflows and pipeline components without restriction.
Modifies or destroys persisted project state, corrupting Langflow flows or overwriting stored configurations.
Disrupts availability of the Langflow service by triggering resource-exhausting or destructive MCP operations.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7664 is active now against all images running IBM Langflow OSS 1.0.0 through 1.8.4. Because no upstream fix has been published, HarborGuard monitors the IBM advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is released. For customers with auto-remediation enabled, that release triggers an immediate rebuild, regression-test run, and a PR opened against affected workloads. While no fix exists, recommended compensating controls include applying network policy to restrict inbound access to the Langflow MCP transport endpoint to trusted sources only, enabling egress filtering to limit the blast radius if the endpoint is reached, and disabling or gating the Streamable MCP transport feature via configuration or feature flag if your deployment does not require it.

See how HarborGuard automates this

Affected packages

IBM / Langflow OSS
≤ 1.8.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

ibm.com

Metrics

Get notified