CVE-2026-10561
Received Received - Intake
Unauthenticated Remote Code Execution in IBM Langflow OSS

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: IBM Corporation

Description
IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-10561
EUVD
EUVD-2026-38245
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ibm langflow_oss From 1.0.0 (inc) to 1.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-10561 is a critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.3 that allows unauthenticated remote code execution (RCE). It arises from improper isolation of Python execution combined with an authentication bypass.

Specifically, the PythonREPLComponent's get_globals() function attempts to restrict accessible Python globals using a whitelist but fails to block access to the builtins module. Because the exec() function in CPython automatically inserts the full builtins module if it is missing, an attacker can access dangerous functions like import, open, and eval.

Additionally, the default setting LANGFLOW_AUTO_LOGIN=true issues a superuser JWT token via an unauthenticated GET request, enabling an attacker to bypass authentication and execute arbitrary code on the host system.

Compliance Impact

This vulnerability allows unauthenticated remote code execution leading to complete system compromise, including exfiltration of sensitive data such as LLM provider keys and access credentials for vector stores.

Such unauthorized access and potential data theft or tampering can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to unauthorized disclosure, alteration, or loss of protected data.

Impact Analysis

This vulnerability can lead to complete compromise of the host system running Langflow OSS.

  • Arbitrary operating system command execution at the backend process privilege level, which is root in default Docker environments.
  • Exfiltration of sensitive data such as LLM provider keys (e.g., OpenAI or Anthropic keys) stored in environment variables or databases.
  • Theft or tampering of flow definitions used by Langflow.
  • Access to credentials for vector stores like Chroma, Pinecone, or Weaviate.
  • Potential persistent compromise through installation of cron jobs, backdoored files, or modification of databases.
Mitigation Strategies

IBM strongly recommends upgrading to Langflow OSS version 1.9.4 or later to remediate this issue.

No official workarounds are currently available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart