PatchSiren cyber security CVE debrief
CVE-2026-3346 Langflow CVE debrief
CVE-2026-3346 is a stored cross-site scripting issue affecting IBM Langflow Desktop 1.6.0 through 1.8.4. According to the NVD record, an authenticated user can embed arbitrary JavaScript in the Web UI, which can alter application behavior inside a trusted session and may expose credentials or other sensitive data associated with that session. The CVE was published on 2026-04-30 and updated on 2026-05-11.
- Vendor
- Langflow
- Product
- CVE-2026-3346
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-30
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-04-30
- Advisory updated
- 2026-05-11
Who should care
Administrators and security teams running IBM Langflow Desktop 1.6.0 through 1.8.4 should treat this as relevant, especially in environments where multiple authenticated users share the Web UI or where sessions may carry sensitive access. Any organization relying on the desktop UI for interactive workflows should review exposure promptly.
Technical summary
The official CVE/NVD record describes a stored XSS vulnerability in IBM Langflow Desktop versions 1.6.0 through 1.8.4. The issue allows an authenticated user to store JavaScript that executes in the Web UI. NVD assigns a CVSS v3.1 score of 6.4 (Medium) with the vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network-reachable attack conditions, low attack complexity, required low privileges, no user interaction, changed scope, and limited confidentiality and integrity impact. The source corpus does not include exploit details or the full vendor advisory text.
Defensive priority
Medium — prioritize patching in the normal update cycle, and move it higher if the application is used by multiple authenticated users or handles sensitive credentials in browser sessions.
Recommended defensive actions
- Inventory Langflow Desktop installs and confirm whether any instance is running a vulnerable version from 1.6.0 through 1.8.4.
- Apply the vendor-provided fix or upgrade guidance from IBM's advisory as soon as it is available in your environment.
- Review any features that accept or render user-supplied content in the Web UI and restrict where possible.
- Treat authenticated user input as potentially hostile and apply output encoding/sanitization controls in any adjacent integrations or custom extensions.
- Monitor for unexpected script execution, UI tampering, or suspicious session activity in affected deployments.
Evidence notes
This debrief is based only on the supplied CVE/NVD metadata and the referenced IBM PSIRT advisory link in the NVD record. The corpus explicitly states the affected versions, the stored XSS behavior, the authenticated-user requirement, and the potential for credentials disclosure within a trusted session. No vendor advisory text, patch details, or exploit proof-of-concept material was included in the supplied sources.
Official resources
-
CVE-2026-3346 CVE record
CVE.org
-
CVE-2026-3346 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2026-04-30 and modified on 2026-05-11. The NVD entry references an IBM PSIRT advisory, but the advisory text itself was not included in the supplied corpus.