Description
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
Published: 2026-06-30
Score: 10 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to execute arbitrary Python code on the Langflow OSS server by manipulating the `tool_code` field within a public flow. This code execution grants full read and write access to secrets, flows, conversations, messages, file uploads, and saved components in the Langflow database, as well as the ability to connect to internal services and abuse cloud metadata endpoints. It also enables lateral movement to other tenants on the same instance and persistence, as the attacker can embed malicious code that runs on every subsequent build request from any user.

Affected Systems

IBM Langflow OSS versions 1.0.0 through 1.9.3 are affected. The vulnerability is present in any deployed instance of these releases, as identified by the CPE strings for 1.0.0 and 1.9.3 and recorded by the CNA. All users who can view or alter public flows are potential attack vectors.

Risk and Exploitability

With a CVSS score of 10.0, the vulnerability is classified as critical. The EPSS score is not available, so the current exploit probability is unknown, and it is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attacker does not need authentication and can exploit the public flow management interface; an attacker who can submit or modify a public flow can achieve code execution and subsequent system compromise without credentials.

Generated by OpenCVE AI on June 30, 2026 at 21:50 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.0 https://pypi.org/project/langflow/


OpenCVE Recommended Actions

  • Upgrade IBM Langflow OSS to version 1.10.0 or later.
  • Restrict or disable the ability for users to modify the `tool_code` field in public flows, effectively blocking server‑side code injection.
  • Enforce strict role‑based access controls so that only trusted users can create or edit public flows, and regularly audit build logs for suspicious code patterns.

Generated by OpenCVE AI on June 30, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
Title Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-94
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.9.3:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:56:52.069Z

Reserved: 2026-05-29T18:38:25.306Z

Link: CVE-2026-10134

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T22:00:16Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')