CVE-2026-10134
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
View on NVDAnalysis
IBM Langflow OSS presenta una vulnerabilidad de inyección de código crítica que permite a un atacante leer secretos, modificar flujos y acceder a servicios internos o metadatos de la nube. Un atacante puede lograr persistencia modificando el código de herramientas públicas, lo que resulta en la ejecución de código malicioso cada vez que un usuario construye un flujo. Dada su calificación de 10.0, esta falla permite el compromiso total de la instancia y de los datos procesados.
Relevant roles
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCWE-94EPSS
No EPSS score yet (CVE may be too fresh).
Technical description
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.