CVE-2026-10140: IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API client
Summary
IBM Langflow OSS versions 1.0.0 through 1.10.0 have a vulnerability in voice mode where API client credentials are improperly shared across different tenants (separate user accounts or organizations). An authenticated attacker can manipulate cached data to make requests from other users run under wrong API credentials, leading to incorrect billing charges and misattribution of actions to the wrong user.
Vulnerability Details
9.6(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
network
low
low
none
June 30, 2026
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-10140
First tracked: June 30, 2026 at 08:09 PM
Classified by LLM (prompt v3) · confidence: 92%