CVE Catalog

CVE-2026-10140

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.10.0 in voice mode have improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Risk Assessment

The organization is exposed to unauthorized use of API resources by other tenants, potentially resulting in incorrect cost allocation and loss of control over billing and auditing.

Recommendation

Immediately upgrade IBM Langflow OSS to version 1.10.1 or later, which includes a fix for this vulnerability. Until the update is applied, disable voice mode or restrict access to trusted users only.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS