CVE-2026-10546: IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component (
Summary
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a Server-Side Request Forgery vulnerability (SSRF, a flaw where an attacker tricks a server into making requests to unintended locations) in the URL component. The vulnerability is caused by a TOCTOU race condition (a timing bug where a system checks something at one moment but uses it at another, allowing attackers to change it in between), which attackers can exploit through DNS rebinding (a technique where an attacker changes what a domain name points to after the server checks it).
Vulnerability Details
7.1(high)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
network
high
low
none
June 30, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-10546
First tracked: June 30, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%