AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-4503: IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to

highvulnerability

security

Source: NVD/CVE DatabaseApril 30, 2026CVE-2026-4503

Summary

IBM Langflow Desktop versions 1.0.0 through 1.8.4 have a security flaw where an unauthenticated user (someone without a login) can view other users' images by manipulating a user-controlled key (a piece of data that identifies which resource to access). This happens because the application doesn't properly check permissions when accessing images, which is a type of vulnerability called authorization bypass through user-controlled key (CWE-639).

Vulnerability Details

CVSS Score

7.5(high)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

April 30, 2026

Classification

Attack Type

Data Extraction

Attack SophisticationTrivial

Impact (CIA+S)

confidentiality

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-639

Affected Vendors

Related Issues

critical

CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive

Similar attackNVD/CVE Database

high

CVE-2025-54868: LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint

Similar attack

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-4503

First tracked: May 1, 2026 at 02:07 AM

Classified by LLM (prompt v3) · confidence: 85%