CVE-2026-6542: Monitor API allows cross-user read of transaction logs and deletion of build data via flow_id
Published Apr 27, 2026
·Updated
IBM Langflow OSS 1.0.0 through 1.8.4 could allow any user to supply a flow_id to read transaction logs and vertex build data belonging to other users, and to delete persisted vertex build data for another user's flow.
Affected Software
3 affected components
IBM Langflow OSS>=1.0.0<=1.8.4
IBM Langflow OSS<=1.0.0 - 1.8.4
Langflow Langflow>=1.0.0<1.9.0
Remediation
Information
IBM recommends addressing the vulnerability now by upgrading to Langflow OSS 1.9.0 or newer: https://github.com/langflow-ai/langflow
Event History
Apr 27, 2026
CVE Published
via IBM·12:00 AM
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Apr 30, 2026
CVE Published
via MITRE·09:16 PM
Data Sourced
via MITRE·09:16 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·10:16 PM
DescriptionSeverityWeaknessAffected Software
Dec 24, 58314
Event
via FIRST·01:26 AM
Frequently Asked Questions
1
What is the severity of CVE-2026-6542?
CVE-2026-6542 is considered a critical vulnerability due to its ability to allow unauthorized access to sensitive user data.
2
How do I fix CVE-2026-6542?
To fix CVE-2026-6542, update IBM Langflow OSS to version 1.8.5 or later to patch the vulnerability.
3
What type of vulnerability is CVE-2026-6542?
CVE-2026-6542 is a cross-user information disclosure vulnerability affecting the monitor API in IBM Langflow OSS.
4
Who is affected by CVE-2026-6542?
Users of IBM Langflow OSS versions 1.0.0 through 1.8.4 are affected by CVE-2026-6542.
5
Can CVE-2026-6542 be exploited remotely?
Yes, CVE-2026-6542 can be exploited remotely by any user who supplies a valid flow_id.