CVE-2026-10140
Received Received - Intake

Improper State Handling in IBM Langflow OSS

Vulnerability report for CVE-2026-10140, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-07-01
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.10.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-10140 affects IBM Langflow OSS versions 1.0.0 through 1.10.0 in the voice mode subsystem. It involves improper shared-state handling that allows API clients to be reused across tenant boundaries.

Specifically, a process-global ElevenLabs client singleton caches the first user's API key and reuses it for all tenants, causing unauthorized billing charges and misattributed text-to-speech (TTS) prompt and audio history.

Additionally, a session_id-keyed cache for OpenAI TTS clients allows attackers to pre-position their API key and redirect victim traffic through their OpenAI account, resulting in billing misattribution.

These vulnerabilities can be exploited by any authenticated low-privilege user without admin rights, require no victim interaction beyond normal voice mode usage, and leave no audit trail.

Impact Analysis

The vulnerability can lead to cross-tenant billing fraud where attackers cause requests from other users to be processed using incorrect upstream API credentials.

This results in unauthorized billing charges being attributed to innocent users and misattribution of TTS prompt and audio history.

It can cause economic strain on SaaS deployments, potential suspension of terms of service for affected accounts, and mass billing fraud.

Detection Guidance

This vulnerability can be detected by monitoring network access to the Langflow API, which by default listens on port 7860. Detection involves checking for multiple user accounts accessing the API and verifying if any user has an ELEVENLABS_API_KEY configured, as exploitation requires these conditions.

Since the vulnerability leaves no audit trail and requires authenticated access, detection through logs may be limited. Network monitoring tools can be used to observe unusual API usage patterns or cross-tenant API key reuse.

Specific commands are not provided in the resources, but you can use network scanning or monitoring commands such as:

  • netstat -an | grep 7860 # To check if Langflow API port is open
  • ss -tuln | grep 7860 # To verify listening services on port 7860
  • tcpdump -i any port 7860 # To capture traffic to/from Langflow API
  • Review application configuration files or environment variables for ELEVENLABS_API_KEY presence
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Langflow OSS to version 1.10.1, which addresses the vulnerability by replacing the class-level singleton with user_id-keyed dictionaries and modifying the tts_config_cache to use (user_id, session_id) tuples with authentication validation.

Until the upgrade can be applied, restrict network access to the Langflow API port (default 7860) to trusted users only, and limit the number of users with ELEVENLABS_API_KEY configured to reduce the risk of exploitation.

Additionally, monitor for unusual billing patterns or cross-tenant API usage that may indicate exploitation.

Compliance Impact

The vulnerability in IBM Langflow OSS allows cross-tenant API key reuse and billing misattribution, which can lead to unauthorized access and misuse of user data and resources.

Such unauthorized access and misattribution could potentially violate compliance requirements related to data protection and accountability found in standards like GDPR and HIPAA, which mandate strict controls on data access, user isolation, and accurate audit trails.

Specifically, the vulnerability enables requests from one user to be processed using another user's API credentials without proper isolation or audit trails, undermining data integrity and accountability.

This could result in breaches of confidentiality and accountability obligations, increasing the risk of non-compliance with regulations that require user data segregation and traceability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart