Soumettre #791922: Langflow <= 1.8.3 Authentication Bypass by Spoofinginformation

TitreLangflow <= 1.8.3 Authentication Bypass by Spoofing
Description# Technical Details An IP Spoofing vulnerability exists in the Model Context Protocol (MCP) configuration API of Langflow. An authenticated remote attacker can bypass a "local-only" restriction designed to prevent remote clients from modifying the server's local MCP configuration files. The application incorrectly trusts the user-supplied `X-Forwarded-For` HTTP header without validating its integrity against a trusted reverse proxy configuration, allowing an attacker to spoof the loopback address (`127.0.0.1`). # Vulnerable Code File: `src/backend/base/langflow/api/v1/mcp_projects.py` Method: `get_client_ip()` / `install_mcp_config()` Why: The `get_client_ip` function blindly reads `request.headers.get("X-Forwarded-For")` and returns the first IP in the list. The `install_mcp_config` endpoint then passes this spoofable IP into `is_local_ip()`. If the attacker injects `X-Forwarded-For: 127.0.0.1`, the security check passes and grants access to the restricted administrative functionality. # Reproduction 1. An attacker obtains valid login credentials or a bearer token (even with minimal privileges). 2. The attacker identifies a valid project ID within Langflow. 3. The attacker issues an API request to `POST /api/v1/mcp/project/<project_id>/install` from a remote machine, injecting the HTTP header `X-Forwarded-For: 127.0.0.1`. 4. The server's logic is tricked into believing the request originated from `localhost`, allowing the attacker to arbitrarily specify and write to local configuration files (like `mcp.json`). # Impact - Arbitrary Configuration Write: Remote attackers can manipulate the MCP settings for backend tools on the server's filesystem. - Security bypass: Defeats network-level boundary defenses implemented by the application logic. - Potential vector for further Server-Side attacks by injecting malicious MCP definitions into developer tools (Cursor, Windsurf) located on the same server instance.
La source⚠️ https://gist.github.com/chenhouser2025/a909c47316b7a0948ee68c109ab747a3
Utilisateur
 Eric-f (UID 96873)
Soumission28/03/2026 14:48 (il y a 24 jours)
Modérer19/04/2026 15:47 (22 days later)
StatutAccepté
Entrée VulDB358234 [langflow-ai langflow jusqu’à 1.8.3 Model Context Protocol Configuration API mcp_projects.py get_client_ip/install_mcp_config X-Forwarded-For élévation de privilèges]
Points20

PrécédentAperçuSuivant

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!