eastbaycyber

CVE-2026-10134: Unauthenticated RCE in IBM Langflow OSS

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-06-30
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-10134
CVSS score 10.0 Critical
Attack vector Network, via Langflow API and public flow build path
Auth required None for the public-flow execution path described by IBM
Patch status Vendor advisory confirms affected versions through 1.9.3; exact fixed version was not confirmed from the available primary-source text

TL;DR - CVE-2026-10134 is a critical RCE in IBM Langflow OSS public flows. - Versions 1.0.0 through 1.9.3 are affected; assume internet-exposed instances are high risk. - No KEV listing or confirmed public PoC was verified, but urgency is still immediate.

What this vulnerability is and why it matters

CVE-2026-10134 is a critical vulnerability in IBM Langflow OSS 1.0.0 through 1.9.3. According to the NVD description and IBM advisory metadata, the issue allows an attacker to reach server-side Python execution through vulnerable flow-building logic tied to PythonCodeStructuredTool. IBM’s advisory title explicitly describes it as Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows, which is the key operational detail defenders need to understand.

This is not a narrow bug with limited blast radius. The NVD text describes potential full-instance compromise: reading secrets available to the Langflow process, accessing and modifying flows, conversations, messages, file uploads, and saved components, reaching internal services, abusing cloud metadata endpoints, moving laterally across tenants on the same Langflow instance, and establishing persistence by modifying a public flow’s tool_code. For defenders, that means this is not just an application integrity problem. It can become a cloud credential exposure, internal reconnaissance, and persistence event.

AnalystImpact · assess the risk

Affected versions and exposure assumptions

The affected product named by NVD is IBM Langflow OSS, and the affected version range is explicitly stated as 1.0.0 through 1.9.3. That range should be treated as authoritative unless IBM publishes a correction. If your inventory says Langflow OSS is anywhere in that range, you should assume exposure exists until proven otherwise.

The fix version, however, is not confirmed from the source material available here. The vendor advisory excerpt confirms the affected range through 1.9.3, but the remediation section was not available in the retrieved text. In practical terms, defenders should assume that a version later than 1.9.3 is required, but should verify the exact target release in the official IBM bulletin or release notes before upgrading. If you cannot immediately verify the fixed version, the safest near-term position is to remove public exposure and disable workflows that rely on public flows containing code-execution-capable components.

How exploitation works

IBM’s advisory metadata identifies the core unsafe behavior as execution of attacker-controlled Python via:

exec(self.tool_code, globals(), local_namespace)

That line matters because it turns a flow definition field into an execution sink. The advisory metadata indicates two relevant paths. First, an authenticated build path exists at POST /api/v1/build/{flow_id}/flow, where a session token can trigger code execution during flow build. Second, and more seriously, IBM describes an unauthenticated path once a flow is marked PUBLIC: a flow can be set public via PATCH /api/v1/flows/{flow_id} with {"access_type":"PUBLIC"}, after which execution can occur through /api/v1/build_public_tmp/{flow_id}/flow without an Authorization header.

The practical risk is larger than “remote code execution once.” Because NVD notes that a public flow’s tool_code can be modified so later normal /api/v1/build/... operations re-execute attacker code, this creates a persistence mechanism inside expected application behavior. A malicious change to a public flow may survive long enough to repeatedly execute under legitimate user activity, complicating incident response and making log review more important than a simple patch-and-move-on approach.

Exploitation status, PoC status, and what defenders should assume

At the time of writing, exploitation in the wild is not confirmed from the sources provided here. Specifically, CVE-2026-10134 is not listed in CISA’s Known Exploited Vulnerabilities catalog, so there is no KEV-backed confirmation of active exploitation. That said, a KEV absence should not be read as safety. KEV often lags disclosure, and many critical application-layer bugs are exploited before they appear in public government tracking.

Likewise, a public proof of concept was not confirmed from the available source set. No PoC URL was present in the research note’s NVD output, and no attributable repository was verified for this exact CVE. In the absence of a confirmed PoC, defenders should still assume the bug is highly reproducible because the advisory discloses enough implementation detail, affected endpoints, and the code execution sink to materially lower reverse-engineering effort for attackers. For an internet-exposed, multi-tenant, or cloud-connected Langflow deployment, the right assumption is that exploit development time is short.

What to look for right now

Your first priority is determining whether Langflow OSS in the affected range is deployed, whether any flows are public, and whether any recent changes touched tool_code, access controls, or build endpoints. Even if your instance is not internet-exposed, the vulnerability still matters because an internal attacker or compromised user session could mark flows public and use the build path to execute code.

You should also think beyond the application itself. Because the documented impact includes reading process secrets and accessing cloud metadata endpoints, review whether the Langflow process has access to API keys, database credentials, Kubernetes service account tokens, instance metadata, or internal HTTP services. A successful exploit may look like a Langflow event at first but quickly turn into a broader credential-theft or lateral-movement incident.

Technical Notes: Detection

Start with web server, reverse proxy, WAF, or application access logs for the following endpoints:

  • PATCH /api/v1/flows/
  • POST /api/v1/build/
  • POST /api/v1/build_public_tmp/

Concrete patterns worth hunting include unauthenticated POST requests to the public build path, especially from unusual IPs or in bursts. Example grep patterns:

grep -E 'POST /api/v1/build_public_tmp/.*/flow|PATCH /api/v1/flows/.+' /var/log/nginx/access.log
grep -E 'POST /api/v1/build_public_tmp/[A-Za-z0-9_-]+/flow' /var/log/*access*.log

If your logs capture headers, specifically hunt for requests to the public build endpoint without an Authorization header:

jq 'select(.request_uri|test("/api/v1/build_public_tmp/.*/flow")) | {ts, src_ip, method, request_uri, authorization}' /var/log/langflow-access.json

A basic Splunk search might look like this:

index=web (uri_path="/api/v1/build_public_tmp/*/flow" OR uri_path="/api/v1/build/*/flow" OR uri_path="/api/v1/flows/*")
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip http_method uri_path status user_agent authorization
| sort - count

If you have database-level visibility into flow objects, review recent modifications to public flows and specifically inspect any fields named tool_code, component definitions, or serialized flow JSON. Suspicious indicators would include Python imports, shell execution helpers, network libraries, credential access code, or metadata endpoint references such as 169.254.169.254.

Bottom line for defenders

CVE-2026-10134 deserves immediate attention because it combines unauthenticated code execution, secret exposure, data tampering, lateral movement potential, and persistence in a platform that often sits close to AI workflows, APIs, and sensitive credentials. The affected range is clear: IBM Langflow OSS 1.0.0 through 1.9.3. The exact fixed version was not confirmed from the available source excerpt, so defenders should verify it directly from IBM and plan an urgent upgrade.

There is no confirmed KEV listing and no verified public PoC in the source set used for this article. Even so, the vulnerability should be treated as a top-priority remediation item, especially for internet-exposed or multi-tenant deployments. If patching cannot happen immediately, remove public exposure, block the public build path, audit flows for malicious tool_code, and rotate any secrets the Langflow process could access.

For further reading on related vulnerabilities, check out our articles on Firewall and Edge Device CVEs and the Small Business Backup Strategy.

ResponderRunbook · act now

Mitigation and patching

The preferred mitigation is to upgrade out of the affected range, because the documented root cause is unsafe execution of attacker-controlled Python during build processing. Since the exact fixed version number was not confirmed in the source text available here, verify the remediation release in IBM’s official advisory before changing production version pinning. Until you can validate the fixed target, treat all versions 1.0.0 through 1.9.3 as vulnerable.

If you cannot upgrade immediately, reduce exposure aggressively. Remove public access to Langflow, disable or restrict public flows, place the application behind strong authentication, and block direct access to build-related endpoints from untrusted networks. If the product must remain online, enforce network-level restrictions so only trusted administrators or application frontends can reach the Langflow API. Also review outbound egress rules to block cloud metadata endpoints and unnecessary internal service access, since the vulnerability can be used for SSRF-like follow-on actions and credential theft after code execution.

Technical Notes: Mitigation

If Langflow is deployed with Docker Compose, first identify the exact image tag in use and update it to the vendor-confirmed fixed release once verified:

docker compose ps
docker compose pull
docker compose up -d

If your deployment pins a version in an environment file or compose file, update that explicit tag only after confirming the fixed version from IBM:

grep -R "langflow" docker-compose.yml .env
sed -i 's/langflow:1\.9\.3/langflow:<FIXED_VERSION>/g' docker-compose.yml
docker compose pull && docker compose up -d

If Langflow was installed via Python packaging and you have confirmed a fixed release later than 1.9.3, the upgrade pattern will typically be:

python -m pip install --upgrade "langflow><FIXED_VERSION>"

Use the exact vendor-confirmed version string in place of the placeholder. Do not guess.

For immediate workaround controls, block the unauthenticated public build path at the reverse proxy if your deployment does not require it:

location ~ ^/api/v1/build_public_tmp/.*/flow$ {
    deny all;
    return 403;
}

And if public sharing is not a business requirement, block requests attempting to toggle flows to public:

location ~ ^/api/v1/flows/.+$ {
    limit_except GET {
        allow 10.0.0.0/8;
        deny all;
    }
}

Those controls are not substitutes for patching, but they can materially reduce exploitability while you validate the proper fixed version and complete change management.

Incident response considerations

If you suspect compromise, do not limit the investigation to the Langflow UI or API objects. Because the documented impact includes secret theft, internal service access, and cloud metadata access, rotate credentials available to the Langflow process, including database passwords, API tokens, service account secrets, and cloud keys. Review whether the host or container had access to metadata services, internal control planes, or neighboring tenant resources.

Also assume persistence may have been established through modified flow definitions. That means simply restarting the service may not remove the attacker’s foothold if malicious tool_code remains embedded in stored public flows. Export and review flow definitions, compare them to known-good versions, and preserve logs and application data for forensic analysis before making destructive changes.

References

Source URL
NVD record https://nvd.nist.gov/vuln/detail/CVE-2026-10134
IBM advisory https://www.ibm.com/support/pages/security-bulletin-unauthenticated-server-side-rce-pythoncodestructuredtool-public-flows
IBM support reference https://www.ibm.com/support/pages/node/7277559
CISA KEV catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-30

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.