Overview
- IBM
- Langflow OSS
30 Jun 2026
Published
02 Jul 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
Pending
KEV
Description
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- IBM
- Langflow OSS
30 Jun 2026
Published
01 Jul 2026
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.31%
KEV
Description
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- IBM
- Langflow OSS
30 Jun 2026
Published
01 Jul 2026
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
Pending
KEV
Description
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to execute arbitrary OS commands and read sensitive files including credentials, enabling complete system compromise and lateral movement.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- IBM
- Langflow OSS
30 Jun 2026
Published
01 Jul 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV
Description
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project resources and execute MCP operations due to improper authorization enforcement in the Streamable MCP transport endpoint.
Statistics
- 1 Post
Last activity: 9 hours ago
Overview
- IBM
- Langflow OSS
30 Jun 2026
Published
01 Jul 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields.
Statistics
- 1 Post
Last activity: 9 hours ago