CVE-2026-10134
Received Received - Intake

IBM Langflow OSS Multiple Security Vulnerabilities

Vulnerability report for CVE-2026-10134, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.9.3 (inc)
ibm langflow From 1.0.0 (inc) to 1.9.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10134 is a critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.3 that allows unauthenticated remote code execution (RCE) on the server via the PythonCodeStructuredTool.

The flaw exists in the function that executes Python code (`exec(self.tool_code, globals(), local_namespace)`), enabling an attacker to inject and run arbitrary Python code during the flow-building process.

There are two main exploitation paths: authenticated users can trigger RCE via a POST request to a specific API endpoint, and unauthenticated attackers can exploit flows marked as PUBLIC without authentication.

Once a public flow containing the vulnerable tool is created, any visitor can exploit it to execute malicious code.

Impact Analysis

This vulnerability can have severe impacts including allowing attackers to read every secret accessible to the Langflow process.

Attackers can read and modify every flow, conversation, message, file upload, and saved component in the Langflow database.

They can connect to internal services, abuse cloud metadata endpoints, and move laterally to other tenants on the same Langflow instance.

Attackers can also establish persistence by modifying the public flow's code so that malicious code is re-executed during every build.

Mitigation Strategies

IBM strongly recommends upgrading Langflow OSS to version 1.10.0 or later to mitigate this critical vulnerability.

No official workarounds are available for this vulnerability.

Compliance Impact

This vulnerability allows attackers to read every secret accessible to the Langflow process and modify all data including flows, conversations, messages, file uploads, and saved components in the database. Such unauthorized access and modification of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Additionally, the ability to connect to internal services, abuse cloud metadata endpoints, and move laterally to other tenants increases the risk of widespread data breaches and unauthorized data exposure, further impacting compliance with these standards.

Therefore, organizations using vulnerable versions of Langflow OSS may face significant compliance risks, including potential legal and financial penalties, if this vulnerability is exploited.

Detection Guidance

The vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.3 involves unauthenticated server-side remote code execution via the PythonCodeStructuredTool, specifically through the execution of arbitrary Python code in the `tool_code` field during flow-building.

To detect if your system is vulnerable or being exploited, you can monitor for HTTP POST requests to the following endpoints:

  • Authenticated exploitation attempts: POST requests to `/api/v1/build/{flow_id}/flow`
  • Unauthenticated exploitation attempts on public flows: POST requests to `/api/v1/build_public_tmp/{flow_id}/flow`

You can use network monitoring tools or web server logs to search for suspicious POST requests to these endpoints.

Example commands to detect such activity in web server logs (assuming logs are in access.log):

  • grep -i 'POST /api/v1/build/' access.log
  • grep -i 'POST /api/v1/build_public_tmp/' access.log

Additionally, monitoring for unexpected modifications to public flows' `tool_code` fields in the Langflow database may indicate exploitation or persistence attempts.

Since the vulnerability allows arbitrary Python code execution, unusual process behavior or unexpected network connections from the Langflow process could also be indicators.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10134. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart