CVE-2026-10140
Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem
Vexday Risk Score
25Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.6EPSS —KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Ciclo de vida
30 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Productos afectados
IBM · Langflow OSS¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →