CVE-2026-10561
Analyzed Analyzed - Analysis Complete

Unauthenticated Remote Code Execution in IBM Langflow OSS

Vulnerability report for CVE-2026-10561, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-26

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-26
Generated
2026-07-12
AI Q&A
2026-06-22
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow From 1.0.0 (inc) to 1.9.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthenticated remote code execution leading to complete system compromise, including exfiltration of sensitive data such as LLM provider keys and access credentials for vector stores.

Such unauthorized access and potential data theft or tampering can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to unauthorized disclosure, alteration, or loss of protected data.

Executive Summary

CVE-2026-10561 is a critical vulnerability in IBM Langflow OSS versions 1.0.0 through 1.9.3 that allows unauthenticated remote code execution (RCE). It arises from improper isolation of Python execution combined with an authentication bypass.

Specifically, the PythonREPLComponent's get_globals() function attempts to restrict accessible Python globals using a whitelist but fails to block access to the builtins module. Because the exec() function in CPython automatically inserts the full builtins module if it is missing, an attacker can access dangerous functions like import, open, and eval.

Additionally, the default setting LANGFLOW_AUTO_LOGIN=true issues a superuser JWT token via an unauthenticated GET request, enabling an attacker to bypass authentication and execute arbitrary code on the host system.

Impact Analysis

This vulnerability can lead to complete compromise of the host system running Langflow OSS.

  • Arbitrary operating system command execution at the backend process privilege level, which is root in default Docker environments.
  • Exfiltration of sensitive data such as LLM provider keys (e.g., OpenAI or Anthropic keys) stored in environment variables or databases.
  • Theft or tampering of flow definitions used by Langflow.
  • Access to credentials for vector stores like Chroma, Pinecone, or Weaviate.
  • Potential persistent compromise through installation of cron jobs, backdoored files, or modification of databases.
Mitigation Strategies

IBM strongly recommends upgrading to Langflow OSS version 1.9.4 or later to remediate this issue.

No official workarounds are currently available.

Detection Guidance

The provided resources do not include specific detection methods or commands to identify the presence of this vulnerability on a network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart