CVE-2026-10140
Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem
Vexday Risk Score
25Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.6EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
30 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Affected products
IBM · Langflow OSSWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →