CVE-2026-4503: Unauthenticated Insecure Direct Object Reference (IDOR) Vulnerability in Langflow Desktop Image Download Endpoint
Published Apr 28, 2026
·Updated
IBM Langflow Desktop 1.0.0 through 1.8.4 Langflow could allow an unauthenticated user to view other users' images due to an indirect object reference through a user-controlled key.
Affected Software
3 affected components
IBM Langflow Desktop>=1.0.0<=1.8.4
IBM Langflow Desktop<=1.0.0 – 1.8.4
Langflow Langflow Desktop>=1.0.0<=1.8.4
Remediation
Information
IBM recommends addressing the vulnerability now by upgrading to IBM Langflow Desktop 1.9.0 or newer https://www.langflow.org/blog/langflow-1-9-desktop
If you are already using Langflow Desktop, upgrade in the application to version 1.9.0
To install Langflow Desktop for the first time, visit Langflow Desktop https://langflow.org/desktop . Download https://langflow.org/desktop
Event History
Apr 28, 2026
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Apr 30, 2026
CVE Published
via MITRE·08:48 PM
Data Sourced
via MITRE·08:48 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·09:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-4503?
CVE-2026-4503 is considered a medium severity vulnerability due to the potential exposure of sensitive user images.
2
How do I fix CVE-2026-4503?
To fix CVE-2026-4503, update IBM Langflow Desktop to the latest version beyond 1.8.4 where the vulnerability has been addressed.
3
What type of vulnerability is CVE-2026-4503?
CVE-2026-4503 is classified as an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability.
4
Who is affected by CVE-2026-4503?
Users of IBM Langflow Desktop versions 1.0.0 through 1.8.4 are affected by CVE-2026-4503.
5
What can an attacker do with CVE-2026-4503?
An attacker can exploit CVE-2026-4503 to gain unauthorized access to view images of other users without authentication.