CVE-2026-10561: Langflow auth bypass +

CISO Take

IBM Langflow OSS versions 1.0.0 through 1.9.3 carry a CVSS 10.0 vulnerability where improper Python execution isolation combined with an authentication bypass allows any unauthenticated remote attacker to execute arbitrary code on the underlying host — no credentials, no user interaction, no prerequisites required. Langflow is a visual LLM orchestration platform widely used to build AI agent pipelines, meaning a compromised instance exposes every LLM API key, prompt dataset, and connected system reachable from that host. No public exploit is confirmed yet, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N with scope change to host) means weaponization and mass scanning are likely within days of disclosure. Immediately upgrade to the patched version per the IBM advisory at ibm.com/support/pages/node/7277242; if patching is not immediately feasible, take internet-facing instances offline and rotate all API keys and credentials accessible from the host.

Sources: NVD ATLAS IBM Advisory

What is the risk?

Maximum risk (CVSS 10.0). The authentication bypass eliminates the only access control gate, and the absence of Python execution sandboxing turns every reachable Langflow endpoint into a remote code execution vector for any internet attacker. The scope change flag (S:C) confirms the vulnerability breaks out of the application process boundary to fully compromise the underlying OS. Organizations with any network-exposed Langflow deployment should treat this as an active incident until patched and verified clean.

How does the attack unfold?

Initial Access

Adversary discovers an internet-exposed Langflow 1.0.0–1.9.3 instance via Shodan/Censys scanning and sends a crafted unauthenticated HTTP request that bypasses the authentication layer.

AML.T0049

Code Execution

The authentication bypass routes the request to a Python code execution endpoint; due to improper isolation, adversary-controlled Python code runs directly within the Langflow process.

AML.T0050

Host Escape

Absent sandboxing of the Python runtime allows the adversary's code to break out of the application boundary and execute arbitrary OS-level commands on the underlying host.

AML.T0105

Impact

Attacker achieves full host compromise — establishing a reverse shell, harvesting LLM API keys and pipeline data, and pivoting laterally to connected AI infrastructure and internal networks.

AML.T0072

Initial Access

Adversary discovers an internet-exposed Langflow 1.0.0–1.9.3 instance via Shodan/Censys scanning and sends a crafted unauthenticated HTTP request that bypasses the authentication layer.

AML.T0049

Code Execution

The authentication bypass routes the request to a Python code execution endpoint; due to improper isolation, adversary-controlled Python code runs directly within the Langflow process.

AML.T0050

Host Escape

Absent sandboxing of the Python runtime allows the adversary's code to break out of the application boundary and execute arbitrary OS-level commands on the underlying host.

AML.T0105

Impact

Attacker achieves full host compromise — establishing a reverse shell, harvesting LLM API keys and pipeline data, and pivoting laterally to connected AI infrastructure and internal networks.

AML.T0072

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed yesterday 40% patched ~50d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

10.0 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

Upgrade Langflow immediately to the patched version — consult the IBM advisory at ibm.com/support/pages/node/7277242 for the fixed release.
If patching is not immediately possible, take internet-facing instances offline or restrict access to trusted IP ranges via firewall rules.
Rotate all LLM API keys, database credentials, and secrets accessible from or stored on the Langflow host.
Review access logs for anomalous unauthenticated requests, unexpected outbound connections, or unusual Python process spawning.
Scan the host for indicators of compromise: new processes, new user accounts, modified cron jobs, or startup script changes.
Enforce network segmentation — Langflow should never be exposed directly to the internet; place it on an isolated internal network with authenticated access only.

How is it classified?

Auth Bypass Code Execution Framework AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.6.2.3 - AI system security controls

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain deployment of AI with reduced negative impacts

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-10561?

IBM Langflow OSS versions 1.0.0 through 1.9.3 carry a CVSS 10.0 vulnerability where improper Python execution isolation combined with an authentication bypass allows any unauthenticated remote attacker to execute arbitrary code on the underlying host — no credentials, no user interaction, no prerequisites required. Langflow is a visual LLM orchestration platform widely used to build AI agent pipelines, meaning a compromised instance exposes every LLM API key, prompt dataset, and connected system reachable from that host. No public exploit is confirmed yet, but the trivial exploitation profile (AV:N/AC:L/PR:N/UI:N with scope change to host) means weaponization and mass scanning are likely within days of disclosure. Immediately upgrade to the patched version per the IBM advisory at ibm.com/support/pages/node/7277242; if patching is not immediately feasible, take internet-facing instances offline and rotate all API keys and credentials accessible from the host.

Is CVE-2026-10561 actively exploited?

No confirmed active exploitation of CVE-2026-10561 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-10561?

1. Upgrade Langflow immediately to the patched version — consult the IBM advisory at ibm.com/support/pages/node/7277242 for the fixed release. 2. If patching is not immediately possible, take internet-facing instances offline or restrict access to trusted IP ranges via firewall rules. 3. Rotate all LLM API keys, database credentials, and secrets accessible from or stored on the Langflow host. 4. Review access logs for anomalous unauthenticated requests, unexpected outbound connections, or unusual Python process spawning. 5. Scan the host for indicators of compromise: new processes, new user accounts, modified cron jobs, or startup script changes. 6. Enforce network segmentation — Langflow should never be exposed directly to the internet; place it on an isolated internal network with authenticated access only.

What systems are affected by CVE-2026-10561?

This vulnerability affects the following AI/ML architecture patterns: LLM pipeline orchestration, AI agent frameworks, Visual AI workflow builders, Self-hosted LLM development environments, RAG pipelines.

What is the CVSS score for CVE-2026-10561?

CVE-2026-10561 has a CVSS v3.1 base score of 10.0 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

LLM pipeline orchestrationAI agent frameworksVisual AI workflow buildersSelf-hosted LLM development environmentsRAG pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.9.3 has an vulnerability due to an improper isolation of Python execution combined with an authentication bypass that allows an unauthenticated attacker to execute arbitrary code on the host system, resulting in complete compromise

Exploitation Scenario

An adversary scans internet-facing hosts via Shodan or Censys for Langflow installations using default port or banner fingerprinting. Against a target running 1.0.0–1.9.3, they send a crafted unauthenticated HTTP request exploiting the authentication bypass to reach a Python code execution endpoint. Due to lack of sandboxing, their payload runs directly on the host OS — spawning a reverse shell to an attacker-controlled server within seconds. The attacker then harvests LLM API keys from environment variables, exfiltrates pipeline configurations and processed documents, and enumerates internal network services for lateral movement into the organization's broader AI infrastructure.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.