This morning's headline is Langflow — the low-code LLM builder a lot of people leave running on an open port. Its June 19 batch fixes two criticals: an arbitrary file read that chains to remote code execution (CVE-2026-55447, 9.6) and an IDOR that lets any logged-in user run someone else's flow (CVE-2026-55255, 9.9). Both are closed by 1.9.2. Alongside it, a cluster of MCP-server advisories landed the same day, all circling the same mistake — an HTTP transport left open without authentication. Nothing on the .NET or Angular side cleared the bar in the last 24 hours.

Worth your morning

Langflow (CVE-2026-55447 + CVE-2026-55255). Two criticals in one release. The first is a file-handling flaw in the BaseFileComponent nodes: through symlink handling, a request can be steered to read files outside the intended directory and from there to code execution on the host — scored 9.6, fixed in 1.9.2. The second is an IDOR in the /api/v1/responses endpoint (9.9): flow lookups by UUID never checked ownership, so any authenticated user could execute another user's flow by knowing its ID and reach that flow's data and credentials. That one's fixed in 1.9.1, but 1.9.2 covers both — jump straight to it. The same release also closes a high-severity unauthenticated DoS (CVE-2026-55446) and a moderate session issue where the logout button didn't clear the session (CVE-2026-55423). If your Langflow answers to anything but localhost, upgrade today.

The MCP-server wave. June 19 brought a run of MCP-server advisories that rhyme. mcp-searxng — the SearXNG bridge a lot of self-hosters wire into their agents — has an SSRF in web_url_read (7.1): the URL blocklist checked the hostname string but not what it resolved to, so a name pointing at a private address slipped past and let the server reach internal HTTP services. It's worst in the default HTTP deployment, which ships with authentication off; 1.7.1 moves DNS resolution inside the check, and MCP_HTTP_HARDEN closes the rest. dbt-mcp leaked its OAuth access and refresh tokens from an unauthenticated context endpoint (CVE-2026-55837, 6.8 → 1.20.0). And the same day's npm batch — appium-mcp, Uni-CLI, Kozou, Lokka — all trace back to one habit: an HTTP MCP transport exposed without authentication, or trusting localhost requests a browser can forge. If you run any MCP server over HTTP, assume it's reachable and put auth in front of it.