Back to overview

CVE-2026-10140

CRITICAL
9.6
CVSS 3.1
Description
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Metadata

CVE ID
CVE-2026-10140
State
PUBLISHED
Assigner
ibm
Reserved
2026-05-29 18:50 UTC
Published
2026-06-30 19:55 UTC
Last updated
2026-06-30 19:55 UTC
Primary CWE
CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product
IBM / Langflow OSS
Sources
cve.org  ·  NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
IBM Langflow OSS 1.0.0 ≤ 1.10.0
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639 Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
9.6 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Back to overview