Loading market data...
← Back to CVE feed

CVE-2026-10140

CRITICAL CVSS 9.6 View on NVD ↗

Description

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Published: Jun 30, 2026 20:17 UTC Modified: Jul 01, 2026 15:16 UTC