CVE-2026-4503 - Vulnerability Details - OpenCVE

IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Langflow Desktop

No data.

No data.

No data.

References

Link	Providers
https://www.ibm.com/support/pages/node/7271099

History

Thu, 30 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
Title		Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint
First Time appeared		Ibm Ibm langflow Desktop
Weaknesses		CWE-639
CPEs		cpe:2.3:a:ibm:langflow_desktop:1.0.0:::::::* cpe:2.3:a:ibm:langflow_desktop:1.8.4:::::::*
Vendors & Products		Ibm Ibm langflow Desktop
References		https://www.ibm.com/support/pages/node/7271099
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2026-04-30T20:48:17.662Z

Updated: 2026-04-30T20:48:17.662Z

Reserved: 2026-03-20T14:01:11.389Z

Link: CVE-2026-4503

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-30T21:16:33.667

Modified: 2026-04-30T21:16:33.667

Link: CVE-2026-4503

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4503", "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "state": "PUBLISHED", "assignerShortName": "ibm", "dateReserved": "2026-03-20T14:01:11.389Z", "datePublished": "2026-04-30T20:48:17.662Z", "dateUpdated": "2026-04-30T20:48:17.662Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm", "dateUpdated": "2026-04-30T20:48:17.662Z"}, "title": "Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "affected": [{"vendor": "IBM", "product": "Langflow Desktop", "versions": [{"status": "affected", "version": "1.0.0", "lessThanOrEqual": "1.8.4", "versionType": "semver"}], "cpes": ["cpe:2.3:a:ibm:langflow_desktop:1.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:langflow_desktop:1.8.4:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.</p>"}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7271099", "tags": ["vendor-advisory", "patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-9-desktop \nIf you are already using Langflow Desktop, upgrade in the application to version 1.9.0\nTo install Langflow Desktop for the first time, visit \u00a0Langflow Desktop https://langflow.org/desktop . Download https://langflow.org/desktop", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer <a href=\"https://www.langflow.org/blog/langflow-1-9-desktop\" rel=\"nofollow\">https://www.langflow.org/blog/langflow-1-9-desktop</a><br>If you are already using Langflow Desktop, upgrade in the application to version 1.9.0<br>To install Langflow Desktop for the first time, visit <a href=\"https://langflow.org/desktop\" rel=\"nofollow\"> Langflow Desktop</a>.<a href=\"https://langflow.org/desktop\" rel=\"nofollow\">Download</a></p>"}]}], "x_generator": {"engine": "ibm-cvegen"}}}}