CVE-2026-3340 Langflow CVE debrief

Who should care

Administrators and security owners responsible for IBM Langflow Desktop deployments, especially environments that allow authenticated users to interact with the application and where the host can reach sensitive internal services.

Technical summary

The official NVD record cites a vulnerable CPE for langflow_desktop from 1.0.0 through 1.8.4 and maps the weakness to CWE-918 (SSRF). The published description says an authenticated attacker may be able to send unauthorized requests from the system, creating potential for internal network probing or other abuse. NVD rates the issue 6.5/Medium with CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Defensive priority

Medium. The issue is network-reachable and can be used to pivot the application into making requests on behalf of the host, but the supplied corpus does not indicate code execution, public exploitation, or KEV inclusion.

Recommended defensive actions

• Review IBM PSIRT advisory for remediation guidance and any vendor-supplied fix or mitigation details.
• Upgrade or replace affected IBM Langflow Desktop installations once a remediated version is identified by the vendor.
• Restrict who can authenticate to Langflow Desktop and apply least-privilege access to the application.
• Limit outbound network access from the Langflow host to only required destinations to reduce SSRF abuse potential.
• Monitor for unusual server-initiated outbound requests, internal address probing, or other request patterns that could indicate SSRF activity.

Evidence notes

Supported by the NVD record for CVE-2026-3340 and the linked IBM vendor advisory reference. The supplied corpus directly supports the affected version range (1.0.0 through 1.8.4), the SSRF weakness (CWE-918), the authenticated-attacker description, and the CVSS v3.1 vector/score. No fixed version, exploitation details, or KEV status were provided in the corpus.

Official resources