目標達成 すべての支援者に感謝 — 100%達成しました!

目標: 1000 CNY · 調達済み: 1336 CNY

100%

CVE-2026-9103— 未认证超用户令牌通过自动登录端点签发

CVSS 9.8 · Critical

Affected Version Matrix 1

ベンダープロダクトVersion Rangeステータス
IBMLangflow OSS1.0.0≤ 1.10.0affected
新しい脆弱性情報の通知を購読するログインして購読

I. CVE-2026-9103の基本情報

脆弱性情報

脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗

高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。

脆弱性タイトル
Unauthenticated Superuser Token Issuance via Auto-Login Endpoint
ソース: NVD (National Vulnerability Database)
脆弱性説明
IBM Langflow OSS 1.0.0 through 1.10.0 could allow a remote attacker to gain unauthorized access due to improper authentication in the /api/v1/login/auto_login endpoint. The endpoint issues long-lived superuser bearer tokens without requiring authentication when the AUTO_LOGIN configuration is enabled (enabled by default), which may allow an unauthenticated network attacker to obtain full administrative access. Additionally, permissive cross-origin resource sharing (CORS) settings may allow tokens to be exposed to unintended origins, increasing the risk of unauthorized access.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
关键功能的认证机制缺失
ソース: NVD (National Vulnerability Database)

影響を受ける製品

ベンダープロダクト影響を受けるバージョンCPE購読
IBMLangflow OSS 1.0.0 ~ 1.10.0 cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*

II. CVE-2026-9103の公開POC

#POC説明ソースリンクShenlongリンク
AI生成POCプレミアム

公開POCは見つかりませんでした。

ログインしてAI POCを生成

III. CVE-2026-9103のインテリジェンス情報

登录查看更多情报信息。

CVE-2026-9103 其他参考 (1)

Same Patch Batch · IBM · 2026-07-17 · 34 CVEs total

CVE-2026-91359.9 CRITICALPolicies Component Dynamic CodeInput Fields Bypass Custom Component Validation
CVE-2026-88599.9 CRITICALPath Traversal in APIRequest Component via Content-Disposition Header
CVE-2026-86359.9 CRITICALArbitrary Code Execution in Python Interpreter Component
CVE-2026-84819.9 CRITICALRemote Code Execution via Code Validation Endpoint
CVE-2026-84769.9 CRITICALDisk Cache Deserialization Remote Code Execution Vulnerability
CVE-2026-134469.8 CRITICALLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-92029.8 CRITICALUnauthenticated User Registration Could Lead to Remote Code Execution
CVE-2026-91989.8 CRITICALUnauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation
CVE-2026-85059.8 CRITICALAuthentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution
CVE-2026-150919.3 CRITICALMultiple Vulnerabilities in IBM Engineering AI hub.
CVE-2026-76678.8 HIGHPath Traversal Vulnerability in API Request Component Content-Disposition Header Processin
CVE-2026-80568.8 HIGHParameter Injection Vulnerability in API Graph Execution Engine
CVE-2026-77558.8 HIGHMCP Server Configuration Validator Bypass via File Upload API
CVE-2026-144998.8 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134458.1 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134488.1 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134738.1 HIGHIBM Storage Protect Client is vulnerable to Heap-Based Buffer Overflow
CVE-2026-97627.8 HIGHIBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc
CVE-2026-77547.7 HIGHSSRF Protection Configuration Vulnerability
CVE-2026-78727.5 HIGHPath Traversal Vulnerability in File Component Leading to Arbitrary File Read and Authenti

Showing 20 of 34 CVEs. View all on vendor page →

IV. 関連脆弱性

V. CVE-2026-9103へのコメント

まだコメントはありません


コメントを残す