CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-10140 — IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state ...

·Source: NIST NVD

Updated:

Executive Summary

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Analysis

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution. CVSS Score: 9.6. Published: 2026-06-30T20:17:27.007.

Indicators of Compromise (1)

CVE (1)
CVE-2026-10140
Source Attribution

Originally published by NIST NVD on Jun 30, 2026. Verified by: NIST.

Related Threats