CVE-2026-7663 Overview
CVE-2026-7663 is a critical authorization bypass vulnerability affecting IBM Langflow OSS versions 1.0.0 through 1.9.6. The flaw resides in the Streamable Model Context Protocol (MCP) transport endpoint, which fails to enforce proper authorization checks. Unauthenticated attackers can access protected MCP project resources and execute MCP operations over the network. The vulnerability is tracked under CWE-285 (Improper Authorization) and CWE-863 (Incorrect Authorization). IBM published a security advisory describing the issue and remediation guidance.
Critical Impact
Remote, unauthenticated attackers can access MCP project resources and invoke MCP operations, resulting in full confidentiality, integrity, and availability compromise.
Affected Products
- IBM Langflow OSS 1.0.0 through 1.9.6
- Deployments exposing the Streamable MCP transport endpoint
- Self-hosted Langflow instances reachable over the network
Discovery Timeline
- 2026-06-30 - CVE-2026-7663 published to the National Vulnerability Database
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-7663
Vulnerability Analysis
Langflow is an open-source framework for building agentic and LLM-driven workflows. It exposes MCP endpoints that allow clients to enumerate projects, invoke tools, and stream results. In affected releases, the Streamable MCP transport endpoint does not verify that the caller holds valid credentials or has authorization to access the requested project. Requests reach protected MCP handlers without passing an authorization check.
An attacker with network reach to the Langflow service can call MCP operations directly and interact with project resources that should be restricted. Because MCP tool invocations frequently trigger backend actions, data retrieval, or code execution paths, exploitation can expose sensitive project data, modify server state, and disrupt service availability. The IBM advisory confirms unauthenticated network exploitation without user interaction. See the IBM Support Page for vendor detail.
Root Cause
The root cause is missing or incorrect authorization enforcement on the Streamable MCP transport handler. Authentication and authorization middleware applied to other Langflow API routes is not applied consistently to this endpoint, so protected MCP resources are reachable by anonymous callers.
Attack Vector
Exploitation is remote and network-based. An attacker sends crafted MCP requests to the Streamable MCP transport endpoint of a vulnerable Langflow instance. No credentials, tokens, or user interaction are required. Successful requests return protected project data or execute MCP operations under the trust context of the server.
No verified public proof-of-concept code is available at time of publication. Refer to the vendor advisory for authoritative technical details.
Detection Methods for CVE-2026-7663
Indicators of Compromise
- Unauthenticated HTTP requests to Langflow MCP transport routes, particularly Streamable MCP endpoints, that return 2xx status codes.
- MCP tool invocations or project resource reads originating from source IPs outside the expected client population.
- Access log entries lacking session tokens or API keys but successfully reaching MCP handlers.
- Unexpected spikes in MCP request volume or anomalous project enumeration activity.
Detection Strategies
- Inspect Langflow application logs for MCP endpoint access without an associated authenticated principal.
- Deploy web application firewall or reverse proxy rules that flag anonymous requests to /api/v1/mcp and streamable transport paths.
- Correlate outbound network activity from the Langflow host with MCP tool executions to identify attacker-triggered actions.
Monitoring Recommendations
- Enable verbose audit logging on Langflow and forward events to a centralized SIEM or data lake for retention and query.
- Alert on any MCP operation performed without a valid session, API key, or authenticated user identifier.
- Baseline normal MCP client IP ranges and generate alerts for deviations.
How to Mitigate CVE-2026-7663
Immediate Actions Required
- Upgrade IBM Langflow OSS to a version later than 1.9.6 that contains the authorization fix, per the IBM advisory.
- Restrict network exposure of Langflow instances to trusted networks using firewalls, VPN, or private subnets.
- Place Langflow behind an authenticating reverse proxy that enforces identity on all MCP routes.
- Review MCP project data and audit logs for signs of unauthorized access since deployment.
Patch Information
IBM has published remediation guidance on the IBM Support Page. Administrators should apply the fixed Langflow release identified in the advisory and validate that the Streamable MCP transport endpoint requires authentication after upgrade.
Workarounds
- Block external access to Langflow MCP endpoints at the network edge until patching completes.
- Disable the Streamable MCP transport if it is not required by downstream clients.
- Enforce mutual TLS or a reverse-proxy authentication layer in front of Langflow to reject anonymous requests.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

