External risk intelligence

IBM Langflow Account Creation Vulnerability Allows RCE

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9202

Langflow is commonly deployed as a web-based application or API service. As an automation and workflow platform, it is frequently exposed to the internet or reachable within a network to provide access to its management and workflow execution interface.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in IBM Langflow OSS affecting versions 1.0.0 through 1.10.0. The vulnerability allows unauthenticated attackers to create unlimited active user accounts, potentially leading to the execution of remote code. The main concern is confirming relevance and exposure.

  • Unauthenticated users can create active accounts.
  • Enables unauthorized access and potential code execution.
  • Verify if your Langflow instances are affected.

Attack Path

How an attacker could exploit the issue

An attacker could begin by sending a request to an exposed Langflow instance. If the deployment option `NEW_USER_IS_ACTIVE` is enabled, the attacker can create an unlimited number of new user accounts. These new accounts are immediately active, allowing the attacker to authenticate and access code execution capabilities.

  • Network access to Langflow instance.
  • Create user account and authenticate.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

Unauthenticated attackers could create unlimited active user accounts on an affected Langflow instance. When configured with `NEW_USER_IS_ACTIVE=true`, these accounts could immediately authenticate and access Remote Code Execution (RCE) endpoints without needing auto-login.

  • Affected asset: Langflow instance data.
  • Exposure: Unauthenticated network access.
  • Consequence: System compromise via RCE.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in IBM Langflow OSS could allow unauthenticated attackers to create unlimited active user accounts, potentially leading to Remote Code Execution. Application owners and platform teams are likely responsible for managing Langflow instances. The first critical step is to identify all deployed Langflow instances, confirm their exposure and business criticality, and then assign ownership for remediation planning.

  • Assign ownership for Langflow instances.
  • Verify instance exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Langflow OSS?

IBM Langflow OSS is a visual, open-source workflow automation platform. Developers and engineers use it to build, prototype, and deploy sophisticated AI and data processing applications by connecting components through a drag-and-drop interface. It acts as a central hub for managing automation logic and workflow execution.

What does CWE-306 mean for CVE-2026-9202?

CWE-306 refers to 'Missing Authentication for Critical Function.' In this CVE, it means the application fails to verify who a user is before allowing them to perform sensitive actions—specifically, creating new administrative or standard accounts. Because this gatekeeper is missing, the system treats unverified requests as legitimate, granting unauthorized users full entry to the platform.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a crafted request to the account creation endpoint of an affected Langflow instance. This bug only leads to immediate system compromise when the deployment configuration 'NEW_USER_IS_ACTIVE' is set to true. If this specific configuration option is disabled or not set, the vulnerability cannot be used to instantly authenticate and execute arbitrary code.

Is my Langflow instance at risk?

According to Halo Surface Signal, Langflow is often deployed as a web application or API service, making it frequently reachable over a network. If your instance is accessible from the internet or a broad internal network segment, it is at higher risk. You should prioritize assessing instances where the management interface is not restricted by private network controls or identity-aware proxies.

What should I do first to address this?

Begin by creating a comprehensive inventory of all IBM Langflow deployments in your environment. Once identified, inspect the configuration files for each instance to see if 'NEW_USER_IS_ACTIVE' is enabled. While planning for a formal update, consider restricting network access to these instances using firewalls or VPNs to ensure they are not reachable by unauthorized users.

References