CVE-2026-10134 Overview
CVE-2026-10134 affects IBM Langflow OSS versions 1.0.0 through 1.9.3. The vulnerability allows unauthenticated network attackers to execute arbitrary code within the Langflow process. Attackers can read every secret available to Langflow, access and modify flows, conversations, messages, file uploads, and saved components. The flaw also enables lateral movement between tenants sharing the same Langflow instance and abuse of cloud metadata endpoints. Attackers can establish persistence by modifying a public flow's tool_code, forcing re-execution of attacker-controlled code on every subsequent /api/v1/build/... call. The issue is tracked as improper control of generated code [CWE-94].
Critical Impact
Unauthenticated remote code execution with full access to secrets, tenant data, cloud metadata, and persistent compromise across all users of the Langflow instance.
Affected Products
- IBM Langflow OSS 1.0.0 through 1.9.3
- Langflow deployments exposing /api/v1/build/... endpoints
- Multi-tenant Langflow instances hosting public flows
Discovery Timeline
- 2026-06-30 - CVE-2026-10134 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-10134
Vulnerability Analysis
The vulnerability stems from improper control of code generation [CWE-94] in Langflow's flow-building pipeline. Langflow accepts user-supplied component definitions, including a tool_code field that is executed by the Langflow process during flow builds. Because the code is evaluated inside the server process, an attacker who can submit or modify a flow gains direct execution in the Langflow runtime.
The attack surface extends beyond authenticated users. Public flows are accessible without prior authentication, and modifications to their tool_code persist across builds. Any subsequent invocation of /api/v1/build/... by any user re-runs the attacker's payload. This creates durable persistence tied to the flow object rather than an active session.
Execution inside the Langflow process grants access to every secret the process can read, the full database of flows, conversations, messages, and uploads, and network egress from the host. In cloud deployments, this includes instance metadata services such as 169.254.169.254, enabling credential theft and privilege escalation into the surrounding cloud tenancy.
Root Cause
Langflow evaluates untrusted tool_code supplied through its component and flow APIs without sandboxing or code-generation controls. The process runs with broad access to secrets, storage, and network resources shared across tenants.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted flow or component update containing malicious tool_code, then triggers a build via /api/v1/build/.... The Langflow process executes the payload with the identity and privileges of the service. Refer to the IBM Support Page for vendor-provided technical detail.
Detection Methods for CVE-2026-10134
Indicators of Compromise
- Unexpected modifications to public flows or saved components, particularly changes to tool_code fields.
- Outbound requests from the Langflow host to cloud metadata endpoints such as 169.254.169.254 or metadata.google.internal.
- Anomalous processes spawned by the Langflow runtime, including shells, curl, or Python subprocesses invoked during builds.
- Access to secret stores, environment variables, or database records outside normal flow-execution patterns.
Detection Strategies
- Audit HTTP access logs for unauthenticated POST/PATCH traffic to component and flow APIs followed by /api/v1/build/... calls.
- Baseline the set of public flows and alert on any change to tool_code, code, or component source fields.
- Monitor Langflow container or host processes for child processes and outbound connections that deviate from normal flow execution.
Monitoring Recommendations
- Forward Langflow application logs, container runtime events, and cloud audit logs to a centralized analytics platform for correlation.
- Enable alerts on cloud metadata endpoint access originating from the Langflow workload.
- Track database writes to flow and component tables, and review changes made by service or anonymous identities.
How to Mitigate CVE-2026-10134
Immediate Actions Required
- Restrict network access to Langflow so only trusted, authenticated users can reach the API surface.
- Disable or remove public flows until the instance is upgraded to a fixed release.
- Rotate all secrets, API keys, and cloud credentials accessible to the Langflow process.
- Review flow and component tables for unauthorized tool_code modifications and revert them.
Patch Information
Refer to the IBM Support Page for CVE-2026-10134 for fixed versions and upgrade instructions. Upgrade Langflow OSS beyond the affected range 1.0.0 through 1.9.3 as directed by the vendor advisory.
Workarounds
- Place Langflow behind an authenticating reverse proxy and block anonymous access to /api/v1/build/... and component endpoints.
- Block egress from the Langflow workload to cloud metadata endpoints using host firewall rules or IMDSv2 enforcement.
- Run Langflow in a dedicated, least-privilege service account with no access to shared secrets or cross-tenant data.
- Isolate each tenant in a separate Langflow instance until a patched version is deployed.
# Example egress restriction to cloud metadata service (Linux iptables)
iptables -A OUTPUT -m owner --uid-owner langflow -d 169.254.169.254 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

