CVE-2026-10134
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a critical vulnerability allowing an attacker to read all secrets available to the Langflow process, read and modify all flows, conversations, messages, file uploads, and saved components in the Langflow database. The attacker can also connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and establish persistence by modifying the public flow's `tool_code` so that normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
Risk Assessment
The risk to the organization is critical – an attacker can gain full control over the Langflow instance, steal all secrets and data, and establish persistence, potentially leading to escalation to other internal systems and compromising data confidentiality, integrity, and availability.
Recommendation
Immediately upgrade IBM Langflow OSS to version 1.9.4 or later, which contains a fix for this vulnerability. Until the update is applied, restrict access to the Langflow instance to trusted networks and users, and monitor for unusual activity on `/api/v1/build/...` endpoints.
Original NVD description (English source)
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

