PT-2026-52163 · Ibm · Langflow Oss

Published

2026-06-24

·

Updated

2026-06-30

·

CVE-2026-10546

CVSS v3.1

7.1

High

VectorAV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.9.3
Description A Server-Side Request Forgery (SSRF) issue exists in the URL component located at src/lfx/src/lfx/components/data source/url.py. This is caused by a Time-of-Check/Time-of-Use (TOCTOU) race condition, which is a scenario where a system checks a condition (such as a security validation) and then uses the result, but the condition changes between the check and the use. This flaw can be exploited via DNS rebinding, a technique used to bypass Same-Origin Policy restrictions by changing the IP address associated with a domain name after the initial validation. This issue impacts data confidentiality in transit.
Recommendations Update IBM Langflow OSS to a version newer than 1.9.3.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-10546

Affected Products

Langflow Oss