VulnWatch VulnWatch
← All articles
Weekly digest · May 5, 2026

Langflow Floods, MCP Risks, and Ollama Windows RCE

This week saw a cascade of vulnerabilities in IBM Langflow, critical RCE risks in Ollama for Windows, and emerging threats in the Model Context Protocol ecosystem. Security teams must prioritize patching agentic frameworks and securing local AI deployments.

Prompt Injection Remote Code Execution Auth Bypass SSRF Agentic / MCP

VulnWatch Weekly Digest: April 27 - May 3, 2026

Week in Review

This week was defined by an unprecedented volume of vulnerabilities surrounding low-code AI orchestration platforms, specifically IBM Langflow, which accounted for nearly one-third of all tracked entries. Simultaneously, critical infrastructure risks emerged in local model serving, most notably a silent update mechanism flaw in Ollama for Windows that enables remote code execution without user consent. The broader theme of the week is the fragility of the emerging agentic supply chain, as multiple Model Context Protocol (MCP) servers and adapters were found vulnerable to command injection and SSRF. While no items are currently flagged as actively exploited in the wild (is_exploited=false), the public availability of exploit code for many of these issues raises the immediate risk profile for unpatched systems.

Top Items of the Week

The following vulnerabilities represent the highest impact risks based on CVSS severity, exploitability, and the criticality of the affected components. Security teams should prioritize these items for immediate remediation.

  1. CVE-2026-6543: IBM Langflow Desktop Command Injection
    Severity: High (CVSS 8.8)
    Affected Component: IBM Langflow Desktop 1.0.0 through 1.8.4
    Impact: Allows an attacker to execute arbitrary commands with the privileges of the process running Langflow. This can lead to the theft of sensitive environment variables, including API keys and database credentials, and facilitate lateral movement within the internal network.
    Recommended Action: Upgrade to the latest patched version immediately. If upgrading is not possible, restrict network access to the Langflow interface and run the service with minimal privileges.
    Source: NVD CVE-2026-6543

  2. GHSA-537j-gqpc-p7fq: n8n MCP OAuth XSS
    Severity: High (CVSS 8.2)
    Affected Component: n8n workflow automation platform (MCP OAuth client)
    Impact: An unauthenticated attacker can register a malicious MCP OAuth client with a crafted client_name. When a victim revokes access, a toast notification renders the injected script, leading to credential theft and workflow manipulation.
    Recommended Action: Upgrade to n8n version 2.14.2 or later. Audit existing OAuth clients for suspicious names and revoke unknown integrations.
    Source: GitHub Advisory GHSA-537j-gqpc-p7fq

  3. CVE-2026-42249: Ollama for Windows Update Path Traversal
    Severity: High (CVSS 7.7)
    Affected Component: Ollama for Windows update mechanism
    Impact: Improper handling of HTTP response headers during updates allows path traversal. Attackers can write arbitrary executables outside the staging directory, leading to Remote Code Execution (RCE).
    Recommended Action: Apply the vendor patch immediately. Consider disabling automatic updates in enterprise environments until verification mechanisms are confirmed robust.
    Source: NVD CVE-2026-42249

  4. CVE-2026-42248: Ollama for Windows Signature Bypass
    Severity: High (CVSS 7.7)
    Affected Component: Ollama for Windows update verification
    Impact: The Windows implementation unconditionally returns success during update verification, bypassing digital signature checks. Combined with CVE-2026-42249, this enables silent installation of malicious payloads.
    Recommended Action: Same as above. This vulnerability removes the last line of defense against compromised update servers.
    Source: NVD CVE-2026-42248

  5. CVE-2026-4503: IBM Langflow Desktop IDOR
    Severity: High (CVSS 7.5)
    Affected Component: IBM Langflow Desktop 1.0.0 through 1.8.4
    Impact: Indirect Object Reference (IDOR) allows unauthenticated users to view other users' images via user-controlled keys, potentially leaking sensitive data embedded in workflow artifacts.
    Recommended Action: Upgrade Langflow. Implement network segmentation to prevent unauthenticated access to the Langflow port.
    Source: NVD CVE-2026-4503

Theme: The Langflow Security Cascade

IBM Langflow was the epicenter of this week's vulnerability landscape, with nine distinct entries ranging from High to Low severity. The concentration of flaws suggests systemic issues in the platform's input validation and access control mechanisms. The most critical issue, CVE-2026-6543, allows arbitrary command execution, effectively compromising the host system where Langflow is installed. This is particularly dangerous given Langflow's popularity in rapid prototyping environments where security hardening is often deprioritized.

Beyond RCE, the platform suffers from significant data leakage risks. CVE-2026-6542 and CVE-2026-4503 expose transaction logs, vertex build data, and user images to unauthorized parties through insecure direct object references. Furthermore, multiple path traversal vulnerabilities (CVE-2026-3345, CVE-2026-4502) allow authenticated attackers to write arbitrary files to the system. The presence of stored Cross-Site Scripting (CVE-2026-3346) and SSRF (CVE-2026-3340) further expands the attack surface, enabling session hijacking and network enumeration. Two additional low-severity code injection flaws (CVE-2026-7700, CVE-2026-7687) in the LambdaFilterComponent and CodeParser indicate that even "sandboxed" code execution features within the platform are not secure. For CISOs, this cluster signals that low-code AI platforms require the same rigorous security assessment as traditional enterprise software.

Theme: Agentic Supply Chain & MCP Risks

As organizations move from static chatbots to agentic workflows, the Model Context Protocol (MCP) has become a critical integration point. This week highlighted the immaturity of security in this ecosystem. The n8n XSS vulnerability (GHSA-537j-gqpc-p7fq) demonstrates how OAuth integrations can be weaponized to steal session tokens. More concerning are the multiple command injection vulnerabilities found in MCP servers and bridges.

The aider-mcp-server (CVE-2026-7157, CVE-2026-7316) and awesome-cursor-mpc-server (CVE-2026-7629) both allow remote attackers to inject commands via file manipulation arguments. Since these tools are designed to give AI models access to codebases and execution environments, a compromise here grants attackers direct access to development infrastructure. Additionally, the Claude Agent SDK (CVE-2026-7235) and Claude MCP Bridge (CVE-2026-7216) suffer from path traversal flaws that could allow agents to read or write files outside their intended scope. The Anthropic TypeScript SDK itself (GHSA-p7fg-763f-g4gf) was found to create memory files with insecure default permissions (world-readable/writable), risking local state leakage in shared environments. Finally, the OpenClaw advisory (GHSA-gfg9-5357-hv4c) revealed that audio embedding features could be tricked into reading local host files via prompt injection. This theme underscores a critical lesson: granting AI agents tool access without strict containment is equivalent to giving a remote user shell access.

Theme: Model Serving Infrastructure Vulnerabilities

Underlying the application layer, the infrastructure serving these models also showed cracks. The Ollama Windows vulnerabilities (CVE-2026-42249, CVE-2026-42248) are particularly severe because they affect the update mechanism itself. Silent automatic updates without signature verification mean that a man-in-the-middle attacker or a compromised update server could distribute malware to all Windows users instantly.

In the Python inference stack, CVE-2026-7669 in SGLang involves a deserialization flaw in the HuggingFace Transformer Handler, which could allow remote code execution if an attacker can influence model loading. Similarly, CVE-2026-7597 in mem0ai involves unsafe pickle.load usage in the FAISS vector store, a classic vector for RCE in Python ML pipelines. While CVE-2026-7141 in vllm is classified as difficult to exploit (uninitialized resource), it highlights the complexity of managing memory safely in high-performance inference engines. These vulnerabilities remind platform teams that the ML supply chain extends deep into the inference engines and vector databases that power their applications.

Theme: SSRF and Path Traversal in AI Wrappers

A significant portion of this week's entries involved Server-Side Request Forgery (SSRF) and path traversal in open-source AI wrappers. ChatGPTNextWeb (NextChat) had a particularly rough week with four vulnerabilities. Two SSRF flaws (CVE-2026-7178, CVE-2026-7177) allow attackers to make unauthorized requests from the server, potentially accessing internal cloud metadata services. An improper authorization flaw (CVE-2026-7644) in the MCP server addition function could allow users to connect agents to unauthorized backends. A permissive cross-domain policy (CVE-2026-7643) further exacerbates the risk of data exfiltration.

Similarly, the mcp-chat-studio (CVE-2026-7147) and IBM Langflow (CVE-2026-3340) both exhibited SSRF behaviors. These vulnerabilities are often introduced when developers allow AI models to fetch external URLs or connect to user-specified endpoints without validating allowlists. In a cloud environment, SSRF is often the first step in a broader compromise, allowing attackers to pivot from the AI application to the underlying infrastructure.

Exploitation Status

It is important to note that while all entries in this week's digest are flagged as is_exploited=false, meaning there is no confirmed widespread active exploitation in the wild yet, many advisories explicitly state that "The exploit has been made available to the public." This includes critical issues in Langflow, NextChat, and the MCP servers. This distinction is vital for risk assessment: the weapons are on the shelf, even if the army hasn't marched yet. Security teams should treat public PoCs as imminent threats, especially for internet-facing services.

What to Do This Week

  1. Patch Langflow Immediately: If you use IBM Langflow (Desktop or OSS), upgrade to the latest version beyond 1.8.4. If you cannot patch, isolate the service from the public internet and restrict outbound network access.
  2. Secure Ollama Windows Deployments: Apply the Ollama patch to fix the update mechanism. Until verified, consider disabling automatic updates via group policy or configuration flags in enterprise environments.
  3. Audit MCP Integrations: Review all connected MCP servers and OAuth clients. Remove unused integrations and ensure that MCP servers are running with the least privilege necessary. Validate that file system access tools are sandboxed.
  4. Scan for Pickle Deserialization: Search your ML codebases for pickle.load usage, particularly in vector stores like FAISS or mem0. Migrate to safer serialization formats like JSON or protobuf where possible.
  5. Implement SSRF Protections: Ensure that any feature allowing the AI to fetch URLs or connect to external services uses a strict allowlist and blocks access to internal IP ranges (10.x.x.x, 169.254.169.254).

What to Watch Next Week

Next week, we will be monitoring the adoption rate of the Langflow patches, as the high volume of vulnerabilities may overwhelm some maintenance teams. We are also watching for potential follow-up advisories regarding the Model Context Protocol specification itself, as the sheer number of implementation flaws suggests the standard may need security hardening guidelines. Finally, keep an eye on the Ollama community for confirmation that the Windows update signature verification has been fully restored and tested against bypass techniques.

Covered entries (30)