Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1 https://pypi.org/project/langflow/
Tracking
Sign in to view the affected projects.
No advisories yet.
| Link | Providers |
|---|---|
| https://www.ibm.com/support/pages/node/7278209 |
|
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 30 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution. | |
| Title | Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem | |
| First Time appeared |
Ibm
Ibm langflow Oss |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:* |
|
| Vendors & Products |
Ibm
Ibm langflow Oss |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: ibm
Published:
Updated: 2026-07-02T03:55:57.959Z
Reserved: 2026-05-29T18:50:47.154Z
Link: CVE-2026-10140
Updated: 2026-07-01T14:02:12.415Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T04:45:05Z