CVE-2026-10546 PUBLISHED

DNS Rebinding TOCTOU Bypass of SSRF Protection in Langflow OSS URL Component

Assigner: ibm
Reserved: 01.06.2026 Published: 30.06.2026 Updated: 01.07.2026

IBM Langflow OSS 1.0.0 through 1.9.3 contains a Server-Side Request Forgery (SSRF) vulnerability in the URL component ( src/lfx/src/lfx/components/data_source/url.py ) due to a Time-of-Check/Time-of-Use (TOCTOU) race condition that can be exploited via DNS rebinding.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS Score: 7.1

Product Status

Vendor IBM
Product Langflow OSS
Versions
  • affected from 1.0.0 to 1.9.3 (incl.)

Solutions

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.0 https://pypi.org/project/langflow/

References

Problem Types

  • CWE-918 Server-Side Request Forgery (SSRF) CWE