Description
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
Published: 2026-06-30
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper shared‐state handling flaw in IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated attackers to manipulate cache state so that API client requests cross tenant boundaries. The attacker can force requests from other users to be processed with incorrect upstream API credentials, resulting in billing and accountability being attributed to the wrong tenant. This flaw is classified as CWE‑639, reflecting a weakness in privilege management that enables unauthorized credential reuse.

Affected Systems

IBM Langflow OSS is the affected product. Versions from 1.0.0 up through 1.10.0 contain the vulnerability. The vendor has issued a fix in version 1.10.1, which can be downloaded from the official Python Package Index.

Risk and Exploitability

The CVSS score of 9.6 indicates critical impact. The EPSS score is not available, but the absence of a CISA KEV listing does not diminish the risk for organizations using the current versions. Attackers need only authenticated access to manipulate the shared cache, and the vulnerability is exploitable remotely through the public API endpoints. Once exploited, the attacker can cause services to bill other tenants and obscure the true consumer of the API, enabling fraud.

Generated by OpenCVE AI on June 30, 2026 at 21:22 UTC.

Remediation

Vendor Solution

IBM strongly recommends addressing the vulnerability now by upgrading Langflow OSS to version 1.10.1 https://pypi.org/project/langflow/


OpenCVE Recommended Actions

  • Upgrade IBM Langflow OSS to version 1.10.1.
  • Until the upgrade is feasible, disable the voice mode feature or restrict it to a single tenant environment.
  • Audit billing logs for anomalies and isolate activities by tenant before resuming normal operations.

Generated by OpenCVE AI on June 30, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
Title Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem
First Time appeared Ibm
Ibm langflow Oss
Weaknesses CWE-639
CPEs cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*
Vendors & Products Ibm
Ibm langflow Oss
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Ibm Langflow Oss
cve-icon MITRE

Status: PUBLISHED

Assigner: ibm

Published:

Updated: 2026-06-30T19:55:31.022Z

Reserved: 2026-05-29T18:50:47.154Z

Link: CVE-2026-10140

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T21:30:17Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key