CVE-2026-3341
published 2026-06-11CVE-2026-3341: IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send…
PriorityP431medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.14%
3.5th percentile
IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | langflow_desktop | 1.0.0 – 1.9.2 | — |
| langflow | langflow_desktop | >= 1.0.0 < 1.9.3 | 1.9.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
IBM Langflow Desktop up to 1.9.2 server-side request forgery
vuldb·2026-06-11·CVSS 5.4
CVE-2026-3341 [MEDIUM] IBM Langflow Desktop up to 1.9.2 server-side request forgery
A vulnerability was found in IBM Langflow Desktop up to 1.9.2. It has been rated as critical. Affected is an unknown function. The manipulation leads to server-side request forgery.
This vulnerability is documented as CVE-2026-3341. The attack can be initiated remotely. There is not any exploit available.
Upgrading the affected component is advised.
GHSA
IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF).
ghsa_unreviewed·2026-06-11
CVE-2026-3341 [MEDIUM] CWE-918 IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF).
IBM Langflow Desktop 1.0.0 through 1.9.2 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-11
Published