CVE-2026-6599 | langflow-ai langflow up to 1.8.3 Model Context Protocol Configuration API mcp_projects.py get_client_ip/install_mcp_config X-Forwarded-For injection

A vulnerability, which was classified as critical, has been found in langflow-ai langflow up to 1.8.3. The impacted element is the function get_client_ip/install_mcp_config of the file src/backend/base/langflow/api/v1/mcp_projects.py of the component Model Context Protocol Configuration API. Performing a manipulation of the argument X-Forwarded-For results in injection.

This vulnerability was named CVE-2026-6599. The attack may be initiated remotely. In addition, an exploit is available.

It is suggested to use restrictive firewalling.

The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2026-6599 | langflow-ai langflow up to 1.8.3 Model Context Protocol Configuration API mcp_projects.py get_client_ip/install_mcp_config X-Forwarded-For injection

Post correlati

CVE-2024-7467 | Raisecom MSG1200/MSG2100E/MSG2200/MSG2300 3.90 Web Interface /vpn/list_ip_network.php sslvpn_config_mod template/stylenum os command injection

CVE-2022-49649 | Linux Kernel up to 5.18.12 xenvif_rx_next_skb null pointer dereference

CVE-2024-46436 | Tenda W18E 16.01.0.8(1625) Telnet Service hard-coded credentials

CVE-2024-49920 | Linux Kernel up to 6.11.2 AMD Display null pointer dereference (26787fb6c2b2/fdd5ecbbff75)