CVE-2026-7664 | THREATINT

Description

IBM Langflow OSS 1.0.0 through 1.8.4 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.

PUBLISHED Reserved 2026-05-01 | Published 2026-06-22 | Updated 2026-06-23 | Assigner ibm

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-287 Improper Authentication

Product status

1.0.0 (semver)

affected

References

www.ibm.com/support/pages/node/7277243 vendor-advisory patch

cve.org (CVE-2026-7664)

nvd.nist.gov (CVE-2026-7664)

Download JSON