CVE-2026-10561 | IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability du… | CVSS 10.0 CRITICAL

Description

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise

Metadata

CVE ID: CVE-2026-10561
State: PUBLISHED
Assigner: ibm
Reserved: 2026-06-01 15:41 UTC
Published: 2026-06-22 13:22 UTC
Last updated: 2026-06-22 13:22 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: IBM / Langflow OSS
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
IBM	Langflow OSS	—	1.0.0 ≤ 1.9.3

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (1)

https://www.ibm.com/support/pages/node/7277242