{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6599", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-19T13:47:06.263Z", "datePublished": "2026-04-20T03:00:15.645Z", "dateUpdated": "2026-04-20T14:24:36.870Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T03:00:15.645Z"}, "title": "langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-707", "lang": "en", "description": "Improper Neutralization"}]}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"version": "1.8.0", "status": "affected"}, {"version": "1.8.1", "status": "affected"}, {"version": "1.8.2", "status": "affected"}, {"version": "1.8.3", "status": "affected"}], "cpes": ["cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"], "modules": ["Model Context Protocol Configuration API"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "timeline": [{"time": "2026-04-19T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-19T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-19T15:52:58.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Eric-f (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358234", "name": "VDB-358234 | langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358234/cti", "name": "VDB-358234 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791922", "name": "Submit #791922 | Langflow <= 1.8.3 Authentication Bypass by Spoofing", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:24:29.574350Z", "id": "CVE-2026-6599", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:24:36.870Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6599", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:24:29.574350Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:24:33.425Z"}}], "cna": {"title": "langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection", "credits": [{"lang": "en", "type": "reporter", "value": "Eric-f (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:W/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*"], "vendor": "langflow-ai", "modules": ["Model Context Protocol Configuration API"], "product": "langflow", "versions": [{"status": "affected", "version": "1.8.0"}, {"status": "affected", "version": "1.8.1"}, {"status": "affected", "version": "1.8.2"}, {"status": "affected", "version": "1.8.3"}]}], "timeline": [{"lang": "en", "time": "2026-04-19T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-19T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-19T15:52:58.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/358234", "name": "VDB-358234 | langflow-ai langflow Model Context Protocol Configuration API mcp_projects.py install_mcp_config injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358234/cti", "name": "VDB-358234 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/791922", "name": "Submit #791922 | Langflow <= 1.8.3 Authentication Bypass by Spoofing", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-707", "description": "Improper Neutralization"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-20T03:00:15.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6599", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:24:36.870Z", "dateReserved": "2026-04-19T13:47:06.263Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-20T03:00:15.645Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6599", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-20T04:16:53.060", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/791922"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358234"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358234/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-707"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.8.3"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "langflow", "source": "cna", "vendor": "langflow-ai"}, "product": "langflow", "vendor": "langflow"}], "analysis": {"en": {"generated_at": "2026-04-20T05:25:17.720820+00:00", "value": {"mitigation_remediation": ["Upgrade Langflow to a version newer than 1.8.3 once the vendor releases a patch.", "Configure the application or reverse proxy to remove or strictly validate the X\u2011Forwarded\u2011For header before it reaches the API.", "Deploy a web application firewall or equivalent rule set to block anomalous or non\u2011numeric values in the X\u2011Forwarded\u2011For header.", "Monitor access logs for repeated attempts to exploit the header field.", "Ensure that only trusted proxy servers are allowed to insert or modify the X\u2011Forwarded\u2011For header in production environments."], "summary": {"action": "Patch Immediately", "impact": "Code Injection via X\u2011Forwarded\u2011For"}, "threat_synthesis": {"affected_systems": "The affected product is Langflow version 1.8.3 and earlier, released by langflow\u2011ai. The vulnerability resides in src/backend/base/langflow/api/v1/mcp_projects.py within the Model Context Protocol Configuration API component. No other vendors or products are listed as impacted.", "description_and_impact": "A flaw in the Model Context Protocol Configuration API allows a remote attacker to inject malicious data by manipulating the X\u2011Forwarded\u2011For HTTP header. The injection originates in the get_client_ip/install_mcp_config function of the mcp_projects module, which does not properly sanitize user input. This weakness is identified as CWE\u2011707 (Improper Restriction of Values for Generated Code) and CWE\u201174 (Improper Handling of User Controlled Input). The exploitation yields code execution or other injection outcomes, with the public exploit already available, making the vulnerability practical for attackers.", "risk_and_exploitability": "The CVSS score of 5.3 classifies this as a medium\u2011severity vulnerability. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating that the exploitation probability is currently uncertain. However, the attack vector is remote, based on crafted HTTP headers that can be sent from any internet\u2011connected client, and the exploit is publicly documented. The lack of a vendor response suggests that a patch may not yet be released, elevating the risk for exposed installations."}}}}, "created": "2026-04-20T05:30:44.131026+00:00", "title": "Injection via X\u2011Forwarded\u2011For Header in Langflow Model Context Protocol Configuration API", "updated": "2026-04-20T06:00:07.801491+00:00", "vendors": ["langflow", "langflow$PRODUCT$langflow"]}