CVE-2026-10134
CRITICALUnauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows
Title source: cnaDescription
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
patch
https://www.ibm.com/support/pages/node/7277559
Scores
CVSS v3
10.0
EPSS
0.0031
EPSS Percentile
23.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (2)
IBM/Langflow OSS
1.0.0 - 1.9.3
langflow/langflow
1.0.0 - 1.9.3
Published
Jun 30, 2026
Tracked Since
Jul 01, 2026