CVE Catalog

CVE-2026-10561

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.50%

39th percentile — higher than 39% of all known CVEs

Summary

IBM Langflow OSS versions 1.0.0 through 1.9.3 contain a vulnerability due to improper isolation of Python execution combined with an authentication bypass. An unauthenticated attacker can execute arbitrary code on the host system, leading to full compromise.

Risk Assessment

The risk for the organization is critical – an unauthenticated attacker can fully compromise the server running Langflow, gaining access to data, systems, and potentially spreading the attack within the internal network.

Recommendation

Immediately upgrade IBM Langflow OSS to version 1.9.4 or later. If upgrading is not possible, restrict access to the application to trusted networks only and implement additional authentication mechanisms at the proxy level.

Original NVD description (English source)

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise

Vulnerability data from NVD (NIST) · CISA KEV · EPSS