CVE-2026-10140 – IBM Langflow OSS

CVSS 9.6 CRITICAL Critical or Zero Day – Immediate Deployment

“When authentication fails and code isolation breaks, attackers can take complete control.”

IBM released updates for Langflow OSS to address multiple critical and high-severity vulnerabilities affecting versions 1.0.0 through 1.10.0. The vulnerabilities include remote code execution, authentication and authorization bypasses, sensitive credential disclosure, server-side request forgery (SSRF), cross-tenant data exposure, arbitrary OS command execution, insecure deserialization, and denial-of-service conditions. Several of these issues could allow complete compromise of the application and its underlying host.

CVE-2026-10561 has a CVSS score of 10.0, which is Critical severity. CVE-2026-7664 has a CVSS score of 9.8, which is Critical severity. CVE-2026-10134 has a CVSS score of 10.0, which is Critical severity. CVE-2026-10140 has a CVSS score of 9.6, which is Critical severity. CVE-2026-7663 has a CVSS score of 9.1, which is Critical severity. CVE-2026-7803 has a CVSS score of 9.8, which is Critical severity. CVE-2026-7871 has a CVSS score of 9.8, which is Critical severity. CVE-2026-7873 has a CVSS score of 9.9, which is Critical severity. CVE-2026-7874 has a CVSS score of 9.1, which is Critical severity. CVE-2026-10129 has a CVSS score of 8.5, which is High severity. CVE-2026-10560 has a CVSS score of 8.2, which is High severity. CVE-2026-10564 has a CVSS score of 8.2, which is High severity. CVE-2026-10546 has a CVSS score of 7.1, which is High severity.

The update strengthens authentication, authorization, Python execution isolation, request validation, encryption of stored credentials, component validation, and protections against SSRF and cross-tenant access. Verified exploitation has not been reported. Organizations using affected Langflow OSS deployments should apply the available updates promptly because several vulnerabilities could enable complete system compromise or unauthorized access to sensitive data.

Key Details

Affected Product
Langflow Langflow
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-639
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.