Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

langflow_desktop

Source -

NVD

CNA CVEs -

0

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

6
Related CVEsRelated VendorsRelated AssignersReports
6Vulnerabilities found
CVE-2026-6543
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-8.8||HIGH
EPSS-0.04% / 12.76%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 21:11
Updated-11 May, 2026 | 17:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authenticated Remote Code Execution Vulnerability in Langflow Code Validation Endpoint

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This allows reading sensitive environment variables (API keys, DB credentials), modifying files, or launching further attacks on the internal network.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-3345
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.06% / 18.20%
||
7 Day CHG+0.01%
Published-30 Apr, 2026 | 21:11
Updated-11 May, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Path Traversal and Arbitrary File Write Vulnerability in IBM Langflow Desktop API v2 File Upload Endpoint

IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-3346
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.4||MEDIUM
EPSS-0.03% / 8.34%
||
7 Day CHG~0.00%
Published-30 Apr, 2026 | 21:06
Updated-11 May, 2026 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stored Cross-Site Scripting (XSS) in Langflow Markdown Rendering via rehypeRaw

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-3340
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 9.16%
||
7 Day CHG+0.01%
Published-30 Apr, 2026 | 21:04
Updated-11 May, 2026 | 17:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Server-Side Request Forgery (SSRF) in Langflow URL Component

IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-4502
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-6.5||MEDIUM
EPSS-0.05% / 16.20%
||
7 Day CHG+0.01%
Published-30 Apr, 2026 | 20:57
Updated-11 May, 2026 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary File Write and Remote Code Execution Vulnerability in Langflow v2 API

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-4503
Assigner-IBM Corporation
ShareView Details
Assigner-IBM Corporation
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.35%
||
7 Day CHG+0.01%
Published-30 Apr, 2026 | 20:48
Updated-11 May, 2026 | 17:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.

Action-Not Available
Vendor-langflowIBM Corporation
Product-langflow_desktopLangflow Desktop
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key