Skip to main content

IBM Langflow EUVDEUVD-2026-40403

| CVE-2026-10140 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-30 psirt@us.ibm.com GHSA-p5v5-v74q-w38h
9.6
CVSS 3.1 · Vendor: us
Share

Severity by source

Vendor (us) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
8.5 HIGH

Authenticated low-priv network attacker (PR:L, AC:L); scope change as impact crosses to other tenants and upstream accounts; integrity high from billing/accountability corruption, confidentiality only low since cross-credential data exposure is plausible but unconfirmed.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:L/SA:N

Primary rating from Vendor (us).

CVSS VectorVendor: us

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 20:32 vuln.today

DescriptionCVE.org

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

AnalysisAI

Cross-tenant credential confusion in IBM Langflow OSS 1.0.0 through 1.10.0 lets an authenticated user manipulate the voice-mode shared cache so that other tenants' requests are processed with the wrong upstream API credentials, causing billing and accountability to be misattributed across tenant boundaries. The flaw (CWE-639) requires only low-privilege authentication and is rated critical (CVSS 9.6) because a scope change extends the impact to other users and upstream services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged tenant
Delivery
Invoke voice mode to seed shared client cache
Exploit
Manipulate cache state to bind wrong credentials
Execution
Victim tenant request served from poisoned cache
Persist
Upstream calls run under incorrect credentials
Impact
Cross-tenant billing and accountability misattribution

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated account (PR:L) on a Langflow OSS instance running an affected version (1.0.0-1.10.0) with voice mode in use, and it specifically targets the voice-mode API-client caching path - it is not reachable through other Langflow features. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6) reflects network reachability, low attack complexity, and only low privileges, with the scope change driving the critical score because impact lands on other tenants and upstream provider accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged but authenticated user of a shared multi-tenant Langflow instance interacts with voice mode to seed or manipulate the shared API-client cache, then waits for or induces other tenants' voice requests to be served from that poisoned cache entry. Those victims' requests are executed using the attacker-influenced (incorrect) upstream API credentials, so usage is billed to and logged against the wrong tenant. …
Remediation Patch available per vendor advisory: consult IBM's advisory at https://www.ibm.com/support/pages/node/7278209 for the fixed release and upgrade Langflow OSS beyond the affected 1.0.0-1.10.0 range as instructed; no exact fixed version number was included in the provided data, so do not assume one. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all IBM Langflow OSS instances running versions 1.0.0-1.10.0; audit current tenant configurations and billing systems for evidence of anomalous cross-tenant requests. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-3248 CRITICAL POC
9.8 Apr 07

Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling

CVE-2025-34291 CRITICAL POC
9.4 Dec 05

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2026-0770 CRITICAL POC
9.8 Jan 23

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes

CVE-2024-48061 CRITICAL POC
9.8 Nov 04

langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the

CVE-2024-42835 CRITICAL POC
9.8 Oct 31

langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.

CVE-2024-37014 CRITICAL POC
9.8 Jun 10

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo

CVE-2026-21445 CRITICAL POC
9.1 Jan 02

Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us

CVE-2024-7297 HIGH POC
8.8 Jul 30

Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged

CVE-2026-0768 CRITICAL
9.8 Jan 23

Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the

CVE-2026-0769 CRITICAL
9.8 Jan 23

Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted

CVE-2026-10134 CRITICAL
10.0 Jun 30

Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary

Share

EUVD-2026-40403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy