HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10134Published Modified CNA ibm

CVE-2026-10134: Unauthenticated Server-Side RCE via PythonCodeStructuredTool in Public Flows

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process, read and modify every flow, conversation, message, file upload, and saved component in the Langflow database, can connect to internal services, abuse cloud metadata endpoints, laterally move to other tenants on the same Langflow instance, and Establish persistence by modifying the public flow's `tool_code` so normal `/api/v1/build/...` calls by any user re-execute attacker code at each build.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability exists in IBM Langflow OSS versions 1.0.0 through 1.9.3, affecting the PythonCodeStructuredTool component in publicly accessible flows. An attacker reachable over the network with no credentials whatsoever can send a crafted request to a public flow endpoint and execute arbitrary Python code inside the Langflow server process. Successful exploitation grants full read and write access to all flows, secrets, and database contents, plus the ability to establish persistent code execution for every subsequent user who triggers a build. No upstream fix has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Langflow-derived images, regardless of base image source. Any image found running IBM Langflow OSS at a version between 1.0.0 and 1.9.3 is flagged immediately.

Available
Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and surfaces it at the top of each affected environment's vulnerability queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox of the team responsible for the affected workload within each customer organization.

Available
Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment IBM publishes a corrected release. In the interim, customers with compensating-control policies enabled can receive automated network-policy isolation recommendations to restrict public flow endpoint exposure while the advisory remains open.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to reach the Langflow service via HTTP/HTTPS to trigger the PythonCodeStructuredTool execution path.

  • AuthenticationNot required

    No credentials of any kind are required; the vulnerability is reachable through public flow endpoints without any login or token.

  • Victim interactionNot required

    No user action is needed to trigger the initial exploit; the attacker sends a direct request to the build API without any victim involvement.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race condition, memory layout dependency, or environmental prerequisite stands between the attacker and code execution.

Blast Radius

  • Reads every secret (API keys, credentials, environment variables) accessible to the Langflow server process.
  • Reads and overwrites all flows, conversations, messages, file uploads, and saved components in the Langflow database.
  • Connects to internal services and cloud metadata endpoints (such as the AWS instance metadata service), enabling lateral movement to other tenants on the same Langflow instance.
  • Establishes persistence by rewriting a public flow's tool_code so that every subsequent user-triggered build re-executes attacker-controlled Python code server-side.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against all images running IBM Langflow OSS 1.0.0 through 1.9.3 and flagged Critical immediately upon ingestion. Because IBM has not published a fix version, no patched-image rebuild is yet available; HarborGuard monitors the advisory on every ingest cycle and will initiate a rebuild automatically the moment an upstream fix is released. For customers who opt into compensating-control recommendations, HarborGuard can surface network-policy isolation rules to restrict inbound access to Langflow build and flow endpoints, limiting the exploitable attack surface while the advisory remains open. Egress filtering suggestions to block access to cloud metadata endpoints (such as 169.254.169.254) are also surfaced where environment configuration permits. Customers are encouraged to review their Langflow deployment exposure and apply access controls at the load-balancer or service-mesh layer until IBM ships a patch.

See how HarborGuard automates this
Affected packages
  • IBM / Langflow OSS
    ≤ 1.9.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References