HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-10140Published Modified CNA ibm

CVE-2026-10140: Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an improper shared-state handling vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0, specifically in the voice mode subsystem. An authenticated attacker can reach the affected service over the network and manipulate internal cache state to cause other tenants' requests to be processed under the wrong upstream API credentials. Successful exploitation gives the attacker the ability to fraudulently consume billing quota attributed to other tenants and break accountability tracing across tenant boundaries. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-10140 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Langflow OSS. Any image running an affected version (1.0.0 through 1.10.0) will surface in the findings dashboard automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 (Critical) using the published v3.1 vector and layers per-environment compliance policy weighting on top to adjust priority for each customer context. Findings are routed to the team inbox or ticketing integration configured for the affected workload within the customer org.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment IBM or the Langflow maintainers ship a corrective release. Customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Langflow voice mode API endpoint over the network; the CVSS vector specifies AV:N, meaning any internet- or intranet-exposed deployment is in scope.

  • AuthenticationRequired

    The attacker must hold a valid account with at least low-privilege access; the CVSS vector specifies PR:L, so a standard user account is sufficient and no administrative credentials are needed.

  • Victim interactionNot required

    No action is required from any other user or administrator; the CVSS vector specifies UI:N, so the attacker can trigger cross-tenant cache manipulation entirely on their own.

  • Attack complexityDetail

    The CVSS vector specifies AC:L, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors that must be precisely timed.

Blast Radius

  • Reads upstream API credentials belonging to other tenants as those credentials are substituted into the attacker's request pipeline.
  • Causes billable API usage (voice mode calls) to be charged to victim tenants rather than the attacker, enabling direct financial fraud.
  • Breaks audit and accountability logs so that requests originating from one tenant are recorded under another tenant's identity.
  • Integrity of billing records and usage attribution is corrupted across any tenant whose requests are processed through the manipulated cache entry.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-10140 is flagged Critical (CVSS 9.6) with no fix currently published, so HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment an upstream release is available. For customers with auto-remediation enabled, that rebuild will immediately be followed by a regression-test run and a PR opened against affected workloads. In the interim, recommended compensating controls include applying network policy to restrict which services can reach the Langflow voice mode endpoint (limiting exposure to AV:N), enforcing strict tenant isolation at the API gateway layer to prevent shared session or cache objects from crossing tenant boundaries, and disabling voice mode entirely via feature-flag or deployment configuration if the feature is not operationally required. HarborGuard will surface the advisory in the findings dashboard for any image in scope so that remediation priority can be weighed against each environment's compliance policy.

See how HarborGuard automates this
Affected packages
  • IBM / Langflow OSS
    ≤ 1.10.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References