CVE-2026-3341

Vulnerability

IBM Langflow Desktop versions 1.0.0 through 1.9.2 contain a server-side request forgery (SSRF) vulnerability due to a Time-of-Check to Time-of-Use (TOCTOU) race condition in the SSRF protection mechanism. The validate_url_for_ssrf() function validates URLs using socket.getaddrinfo(), but the subsequent HTTP request via httpx.AsyncClient() performs a separate DNS lookup. This discrepancy allows an attacker to use a DNS rebinding domain with TTL=0 to return a public IP address during validation (passing checks) and a private IP address (e.g., 127.0.0.1, 192.168.x.x, 169.254.169.254) during the actual request. IBM Langflow Desktop includes DNS pinning infrastructure (validate_and_resolve_url() and DNSPinningNetworkBackend) intended to prevent this attack, but the protection is not consistently applied across all code paths, leaving the SSRF protection bypassable in default configurations. [1]

Exploitation

An authenticated attacker can exploit this vulnerability by crafting a URL that points to a DNS rebinding domain they control. The attacker sets the DNS TTL to 0 so that the DNS response changes between the validation and request phases. The attacker must have network access to the Langflow Desktop instance and be able to trigger a request to an external URL (e.g., via a feature that fetches external resources). The attacker does not need any special privileges beyond authentication. The exploitation sequence involves: (1) registering a DNS rebinding domain that initially resolves to a public IP (e.g., a benign server) and then, after a short delay, resolves to a private IP; (2) configuring the Langflow Desktop to make a request to that domain; (3) the validation step sees the public IP and allows the request; (4) the actual HTTP request resolves to the private IP, granting access to internal services. [1]

Impact

Successful exploitation allows an authenticated attacker to send unauthorized HTTP requests from the Langflow Desktop system to internal network resources, including localhost services, internal network hosts, and cloud metadata endpoints (e.g., 169.254.169.254). This can lead to network enumeration, information disclosure, and potentially facilitate further attacks against internal systems. The CVSS v3.1 base score is 5.4 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating low confidentiality and integrity impact, no availability impact, and no user interaction required. [1]

Mitigation

As of the publication date (2026-06-11), IBM has not released a patch or workaround for this vulnerability. The affected versions are IBM Langflow Desktop 1.0.0 through 1.9.2. The security bulletin states "Workarounds and Mitigations: None." [1] Users should monitor IBM's security advisories for updates. No known exploitation in the wild has been reported, and the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.