AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6542: IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build

mediumvulnerability

security

Source: NVD/CVE DatabaseApril 30, 2026CVE-2026-6542

Summary

IBM Langflow OSS (open-source software) versions 1.0.0 through 1.8.4 has a vulnerability where any user can view and delete other users' data by supplying a flow_id (a reference number for a workflow). This happens because the system doesn't properly check who should be allowed to access certain information, allowing unauthorized access to transaction logs and build data.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

low

User Interaction

none

Disclosure Date

April 30, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentialityintegrity

Taxonomy References

CWE (Weakness Type)

CWE-639

Affected Vendors

LangChain

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6542

First tracked: May 1, 2026 at 02:07 AM

Classified by LLM (prompt v3) · confidence: 92%