Skip to content
CVSS 10.0CVSS 10.0 · CRITICAL

CVE-2026-10134

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

View on NVD

Analysis

IBM Langflow OSS presenta una vulnerabilidad de inyección de código crítica que permite a un atacante leer secretos, modificar flujos y acceder a servicios internos o metadatos de la nube. Un atacante puede lograr persistencia modificando el código de herramientas públicas, lo que resulta en la ejecución de código malicioso cada vez que un usuario construye un flujo. Dada su calificación de 10.0, esta falla permite el compromiso total de la instancia y de los datos procesados.

Relevant roles

IAPythonMachineLearningDataScienceCloudCyberSecurity

Severity

Score: 10.0(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: CHANGED
C: HIGH
I: HIGH
A: HIGH
Weakness (CWE): CWE-94

EPSS

No EPSS score yet (CVE may be too fresh).

Technical description

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

Published: 6/30/2026, 8:17:26 PM
Last modified: 6/30/2026, 8:17:26 PM

References

HomeEventsBlogResourcesTeam