CVE-2026-10140
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
30/06/2026
Last modified:
02/07/2026
Description
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
Impact
Base Score 3.x
9.60
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* | 1.0.0 (including) | 1.10.0 (including) |
To consult the complete list of CPE names with products and versions, see this page



