How is CVE-2026-10561 exploited?

Network reachability (required): The vulnerable component is exposed over the network; an attacker must be able to reach the Langflow OSS service via HTTP or equivalent network path to deliver the payload. Authentication (not-required): No credentials or session token of any kind are needed; the authentication bypass allows exploitation by any unauthenticated network caller. Victim interaction (not-required): The attacker does not need to trick or wait for any user action; exploitation is fully server-side with no social-engineering step required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions, specific memory layout, or environmental configuration.

What is the impact of CVE-2026-10561?

The attacker executes arbitrary Python code as the process user on the host system, gaining an interactive foothold equivalent to a shell. All data accessible to the Langflow process (environment variables, secrets, API keys, model configs) is readable by the attacker. The attacker can write, modify, or delete files and data on the host filesystem and any mounted volumes. The host service and any dependent services sharing the same runtime can be crashed or taken over, causing full availability loss.

Back to search

CRITICALCVE-2026-10561Published 2026-06-22Modified 2026-06-22CNA ibm

CVE-2026-10561: Unauthenticated Remote Code Execution in Langflow OSS PythonREPLComponent via Builtins Injection

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability affects IBM Langflow OSS versions 1.0.0 through 1.9.3, caused by improper isolation of the Python execution environment combined with an authentication bypass in the PythonREPLComponent. An attacker reachable over the network requires no credentials and no victim interaction to exploit this flaw. Successful exploitation gives the attacker arbitrary code execution on the host system, resulting in full compromise of confidentiality, integrity, and availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-10561 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Langflow OSS base layers.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 Critical and weights it against each environment's active compliance policy before routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment IBM or the Langflow OSS project ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network; an attacker must be able to reach the Langflow OSS service via HTTP or equivalent network path to deliver the payload.
AuthenticationNot required
No credentials or session token of any kind are needed; the authentication bypass allows exploitation by any unauthenticated network caller.
Victim interactionNot required
The attacker does not need to trick or wait for any user action; exploitation is fully server-side with no social-engineering step required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and imposes no special preconditions such as race conditions, specific memory layout, or environmental configuration.

Blast Radius

The attacker executes arbitrary Python code as the process user on the host system, gaining an interactive foothold equivalent to a shell.
All data accessible to the Langflow process (environment variables, secrets, API keys, model configs) is readable by the attacker.
The attacker can write, modify, or delete files and data on the host filesystem and any mounted volumes.
The host service and any dependent services sharing the same runtime can be crashed or taken over, causing full availability loss.

How HarborGuard Handles This

Available on HarborGuard: every image in a connected registry or pipeline is scanned against CVE-2026-10561 within minutes of advisory ingestion, covering both official Langflow OSS images and any custom images built on top of affected versions (1.0.0 through 1.9.3). Because no upstream fix exists at this time, the recommended compensating controls are to apply strict network-policy isolation that blocks unauthenticated inbound access to the Langflow service port, enforce egress filtering to limit lateral movement from a compromised container, and consider disabling or gating the PythonREPLComponent via feature-flag or deployment configuration until a patch is available. HarborGuard monitors the IBM and Langflow OSS advisory channels on every ingest cycle; the moment a fix version is published, a patched-image rebuild becomes available, and for customers with auto-remediation enabled, a rebuilt image, regression test run, and pull request against affected workloads are triggered automatically.

See how HarborGuard automates this

Affected packages

IBM / Langflow OSS
≤ 1.9.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

ibm.com

Metrics

Get notified