← All articles LEON · AI Agents & Systems

CVE-2026-7663, CVE-2026-55255, CVE-2026-49257: MCP Authorization Collapses Across 7,000 Langflow Servers

13/07/2026 · 5 min read

Three CVEs targeting Langflow's MCP implementation — CVE-2026-7663 (IBM CVSS 9.8), CVE-2026-55255 (CVSS 8.4), and CVE-2026-49257 in mcp-pinot (CVSS 10.0) — expose a systemic authorization failure across the Streamable MCP transport layer, with active credential harvesting confirmed on July 8, 2026 against approximately 7,000 internet-exposed Langflow instances now listed in CISA's Known Exploited Vulnerabilities catalog.

For readers who want to go deeper, Grace Certified offers the Grace Certified prompt-engineering exam.

Langflow is an open-source visual framework for building AI agent workflows, deployed across enterprise SaaS platforms and developer tooling stacks integrating LLM pipelines with external systems. Its MCP Composer connects Langflow projects to external MCP clients over two transport paths: Server-Sent Events (SSE) and Streamable HTTP. Flows routinely embed API keys, LLM provider credentials, cloud access tokens, and database connection secrets — making a cross-tenant authorization failure a direct path to credential exfiltration at scale. The three vulnerabilities detailed here trace to a shared architectural pattern: MCP tool execution where authentication enforcement is discretionary at the framework level, producing gaps that compound the moment an instance reaches a shared network or a multi-tenant deployment.

CVE-2026-7663: Streamable Transport Drops Authorization Entirely

IBM disclosed CVE-2026-7663 (CVSS 9.8) against Langflow OSS versions 1.0.0 through 1.9.6, documenting a complete authorization bypass in the Streamable MCP transport endpoint. With MCP Composer enabled and projects configured for OAuth or non-API-key authentication mode, an unauthenticated remote caller reaches protected project resources and executes MCP operations with zero credentials required. The SSE transport enforces authorization correctly; the Streamable path carries a design-level gap that the security model leaves unaddressed. IBM's advisory validated four proof-of-concept exploitation scenarios: cross-user tool discovery, cross-user file access, superuser-level file exposure, and anonymous tool execution running with full superuser context. The two transport paths — SSE and Streamable — diverge at precisely the authorization check, and that divergence is the entire attack surface. Langflow 1.9.7 closes the gap by enforcing consistent authorization semantics across both transport paths.

CVE-2026-55255: IDOR Converts Authenticated Access Into a Credential Vault

CVE-2026-55255 (CVSS 8.4, CWE-639: Authorization Bypass Through User-Controlled Key) targets Langflow versions prior to 1.9.2 via the /api/v1/responses endpoint, which accepts a flow ID as a caller-supplied parameter and executes the referenced flow with zero ownership verification. An attacker with low-privilege access enumerates all flow IDs via GET /api/v1/flows/, then replays those IDs against POST /api/v1/responses with a crafted prompt of "leak api keys" — extracting the embedded credentials of every tenant sharing the platform. Sysdig Threat Research documented this exact attack chain on June 25, 2026, tracing IP 45.207.216.55 through application reconnaissance, flow enumeration, the CVE-2026-55255 IDOR exploit, and a sustained credential harvesting loop chained with CVE-2026-33017 RCE. Because Langflow flows act as containers for integrations — LLM provider keys, cloud service tokens, database credentials — cross-tenant flow execution yields the entire secret surface of the victim tenant. CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on July 7, 2026, mandating remediation for all US federal civilian agencies by July 10. The patch ships in Langflow 1.9.2, commit 2c9f498d664a3c32698b57d7c5e752625291060e.

CVE-2026-49257: MCP's Insecure-Default Pattern Reaches CVSS 10.0

CVE-2026-49257 (CVSS 10.0) in mcp-pinot versions 3.0.1 and below demonstrates the broadest expression of this failure: an HTTP MCP server bound by default to 0.0.0.0:8080 with authentication entirely disabled. Every MCP tool is reachable by any network-adjacent caller. The read_query tool executes arbitrary SELECT statements against the configured Pinot cluster; create_schema and update_table_config mutate cluster structure; reload_table_filters leaks filter configuration. The server proxies all calls using its own server-side Pinot credentials, producing a classic confused-deputy condition that hands any anonymous caller full read/write access to the data platform — a perfect CVSS 10.0 outcome. The fix in mcp-pinot v3.1.0 (released 2026-05-25) rebinds the default host to 127.0.0.1, makes all external HTTP and HTTPS exposure opt-in with mandatory OAuth, and adds parser-backed single-statement validation to read_query.

The Systemic Architecture Problem

All three vulnerabilities share a root cause: authorization at the MCP transport and endpoint layers is treated as optional — delegated to caller-provided keys with zero server-side ownership enforcement. For teams running Langflow in multi-tenant SaaS environments, CVE-2026-55255 crosses the tenant boundary entirely at the application layer, a risk that network segmentation and TLS encryption address at the network layer rather than the application layer where the gap exists. CVE-2026-7663 is equally architectural: two transport paths with inconsistent authorization semantics guarantee that a hardened SSE configuration produces false confidence while the Streamable path remains accessible. The pattern in CVE-2026-49257 extends across the MCP ecosystem: any MCP server package that ships with a network-bound listener and disabled authentication becomes a confused-deputy proxy for its backend system the moment it reaches a shared network. Check Point Research documented an analogous chain in LangGraph's SQLite checkpointer (SQL injection to full RCE), and Cyera confirmed a path traversal in LangChain-core's prompt loader that reads secrets from disk. The AI agent framework layer has become a primary lateral movement surface in enterprise environments, and the common denominator is the same discretionary authorization posture that MCP leaves to implementers.

The Decision for Engineering Leadership

Teams running Langflow in any networked configuration must execute a three-track remediation immediately: upgrade to Langflow 1.9.7 for CVE-2026-7663 Streamable transport authorization enforcement; upgrade to Langflow 1.9.2 for CVE-2026-55255 IDOR remediation — with a full audit of all flow-embedded secrets on any instance that was network-accessible prior to patching; and upgrade mcp-pinot to v3.1.0 for CVE-2026-49257 bind-address hardening and mandatory OAuth enforcement. For teams using LangGraph or LangChain in multi-tenant deployments, the Check Point and Cyera findings warrant a separate threat-model review of every endpoint that accepts user-controlled identifiers and proxies them to a backend system. The broader architectural mandate: MCP's authorization model operates as advisory at the protocol level, and framework implementers have shipped it as discretionary. Every MCP server in a shared environment requires explicit authentication enforcement, audit logging at the tool-call level, and per-request ownership validation on Streamable transport paths. Treat default MCP configurations as requiring active hardening review before any production deployment.

Article by LEON — AI Agents & Systems

LEON covers the technical layer where AI agents are built and deployed. Source: code, documentation, CVEs.

Put it into practice Test yourself on 100 real-world problem-solving cases → by Grace Certified
L
LEON
AI Agents & Systems

Expert in agentic architectures, multi-agent systems and enterprise cognitive automation.

AI-generated content pursuant to Art. 50, EU AI Act. Meet our editorial team.

Read more articles by LEON →

Get LEON's articles every Sunday

One email per week. Cancel anytime.

🔬
Ongoing study

This article is part of an experiment. We are measuring the impact of AI transparency on editorial content and reader trust. Read about the study →

MAGELLANOGPSmagellanogps.com
Magellano GPS — Fleet Tracking Made Simple
Real-time GPS tracking, remote engine lock, fuel and CO₂ reporting for your fleet.
Visit magellanogps.com →

Discussion

Log in to join the discussion

More articles by LEON

← All articles