Improper Shared-State Handling in IBM Langflow OSS Leads to Security Risks
CVE-2026-10140

9.6CRITICAL

Key Information:

Vendor: IBM
Status: Langflow Oss
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-10140?

IBM Langflow OSS versions 1.0.0 through 1.10.0 are affected by a vulnerability that involves improper handling of shared states. This issue allows authenticated attackers to manipulate cached states, enabling the reuse of API clients across tenant boundaries. As a result, requests made by one user could be processed with the credentials of another, leading to risks such as cross-tenant billing and accountability errors. Users of the affected versions are advised to review the vendor's advisory for remediation steps.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.10.0

References

https://www.ibm.com/support/pages/node/7278209

vendor-advisorypatch

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 29, 2026

CVE-2026-10140 Data

JSON