IBM security researchers discovered six severe Langflow OSS vulnerabilities. These flaws allow attackers to execute arbitrary code, bypass authorizations, and steal sensitive data. Administrators must update systems immediately to prevent potential server compromises.
Why It Matters
Langflow OSS vulnerabilities pose a massive threat to developers building AI applications. Attackers can gain complete system control quickly. They can read sensitive files, modify databases, and connect to internal services. Also, billing fraud is a serious risk for multi-tenant environments. A single breach could expose all tenant secrets and infrastructure data. Businesses might face severe financial losses and reputational damage.
How the Attack Works
Several different attack mechanisms exist across these six flaws. First, CVE-2026-10134 allows unauthenticated remote code execution. Attackers inject malicious Python code through the PythonCodeStructured Tool in public flows. The server then executes this code during the build process using the exec() function.
Next, CVE-2026-7803 enables flow validation bypasses. Attackers submit nodes with empty component type fields. This trick forces the validator to skip blocking disabled custom components. Therefore, malicious code runs silently at build time.
Furthermore, CVE-2026-7871 involves insecure deserialization in the cache backend. The Redis cache service uses dill.loads() without verifying integrity. Consequently, attackers can inject malicious payloads into Redis. These payloads execute when any worker reads the cache.
Additional Mechanisms
Additionally, CVE-2026-7873 allows code injection in the code validation endpoint. Attackers exploit Python’s default argument evaluation mechanism. This mechanism executes arbitrary OS commands without actually calling the function.
Finally, CVE-2026-10140 and CVE-2026-7663 cause severe authorization issues. The voice mode subsystem caches API keys improperly within a process-global singleton. This error allows cross-tenant API key reuse and billing fraud. Meanwhile, the Streamable MCP transport endpoint fails to enforce project ownership controls. Attackers can then access protected resources without authentication.
Exploitation Status
Currently, no active exploitation in the wild is confirmed by primary sources. However, researchers validated four proof-of-concept scenarios for the MCP authorization bypass. Users of the popular Langflow package must remain vigilant. Install counts are not officially confirmed, but the widespread use of this package makes the attack surface large.
Affected Versions
These vulnerabilities impact multiple versions of the software. Most flaws affect Langflow OSS versions 1.0.0 through 1.10.0. Specifically, CVE-2026-10134 affects versions 1.0.0 up to 1.9.3. Furthermore, CVE-2026-7663 impacts versions 1.0.0 up to 1.9.6.
Patch or Mitigation Steps
IBM strongly recommends upgrading Langflow OSS immediately. You should install version 1.10.1 to address the majority of these flaws. Version 1.10.0 patches the MCP authorization bypass and the unauthenticated RCE flaw. Administrators should verify their configurations after updating. Restarting the process is also necessary to clear improperly cached API keys.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.