PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9103 IBM CVE debrief

A critical vulnerability was discovered in IBM Langflow OSS versions 1.0.0 through 1.10.0. The /api/v1/login/auto_login endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled by default, potentially allowing unauthenticated network attackers to gain full administrative access.

Vendor
IBM
Product
Langflow OSS
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Organizations using IBM Langflow OSS versions 1.0.0 through 1.10.0 should prioritize patching this vulnerability to prevent potential unauthorized access. This is crucial for operators managing the system, as it could allow unauthenticated network attackers to gain full administrative access. Platform administrators and security teams should also be aware of this vulnerability to ensure proper mitigation and protection of their environments.

Technical summary

The vulnerability exists in the /api/v1/login/auto_login endpoint of IBM Langflow OSS. When the AUTO_LOGIN configuration is enabled (which is the default setting), the endpoint issues long-lived superuser bearer tokens without requiring authentication. This could allow an unauthenticated network attacker to obtain full administrative access. Additionally, the permissive cross-origin resource sharing (CORS) settings may expose tokens to unintended origins, further increasing the risk of unauthorized access.

Defensive priority

High

Recommended defensive actions

  • Immediately apply patches or updates provided by IBM to fix the vulnerability in the /api/v1/login/auto_login endpoint.
  • Disable the AUTO_LOGIN configuration if not required.
  • Review and restrict cross-origin resource sharing (CORS) settings to prevent token exposure.
  • Implement additional authentication mechanisms for administrative access.
  • Monitor for any suspicious activity related to the /api/v1/login/auto_login endpoint.

Evidence notes

The CVE record was published on 2026-07-17T19:17:19.277Z and has not been modified since then. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL. IBM has provided a support page (https://www.ibm.com/support/pages/node/7278926) for this issue.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:19.277Z and has not been modified since then.