Critical Langflow Flaw CVE-2026-10561 (CVSS 10.0): Unauthenticated RCE

Top/Articles/Critical Langflow Flaw CVE-2026-10561 (CVSS 10.0): Unauthenticated RCE — Update to 1.9.4 Now

News Updated today

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.237 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

Langflow, the popular low-code AI agent builder, has a maximum-severity flaw (CVSS 10.0, CVE-2026-10561). If exposed to the internet, an attacker can fully take over the server with no login required. Versions 1.0.0–1.9.3 are affected; update to 1.9.4 and cut off external access now.

Langflow, a popular tool that lets you build AI agents and chatbots by dragging and connecting visual blocks instead of writing much code, has a flaw rated at the highest severity. It is tracked as CVE-2026-10561, with a CVSS score of 10.0 (the maximum, "Critical"). The advisory from vendor IBM was published on June 22, 2026.

The problem: with no login or password required, a remote attacker can run arbitrary programs on the server. In technical terms this is an "unauthenticated remote code execution (RCE)," and a successful attack means the entire server is taken over. All versions from 1.0.0 through 1.9.3 are affected. A fixed release, 1.9.4, is available, and users should update immediately.

Software	Langflow OSS (open-source edition)
CVE	CVE-2026-10561
Severity	CVSS 10.0 (Critical, maximum)
Affected	1.0.0 – 1.9.3
Fixed in	1.9.4 and later
Attack conditions	No login / over the network / no user action
Published	June 22, 2026

Who is at risk, and what is the damage

This is not an attacker who picks a specific target. It is an attacker who uses automated tools to constantly scan the internet for exposed Langflow servers. The most dangerous setup is a quick test environment, spun up during the AI rush, that ends up reachable from the outside and then forgotten.

Against a server they find, the attacker skips the login entirely and runs commands and programs of their choice on that server. No ID, no password, and no careless click from a user is needed. Simply sending crafted data to the exposed endpoint makes the server obey.

The aftermath is severe and comes in two stages. Langflow often stores API keys and access tokens for the AI models and external services it connects to, and these are stolen at once. End users may have personal data or conversations exposed; the operating company faces fraudulent charges using the stolen keys, destruction of stored data, and the server being used as a stepping stone into other internal systems. That is why the update and exposure review below are urgent.

This is not hypothetical. Earlier Langflow flaws of the same kind were abused by a self-spreading botnet called "Flodrix" and by the Iran-linked group "MuddyWater," and have repeatedly appeared on the U.S. Known Exploited Vulnerabilities (CISA KEV) catalog. CVE-2026-10561 is the latest in that same lineage.

What Langflow actually is

Langflow lets you assemble AI agents and document-grounded answering systems (known as RAG) by dragging blocks on a canvas and connecting them with lines. Because even people who do not write code can build AI pipelines, it spread quickly. Its public GitHub repository has nearly 150,000 stars, making it one of the most active open-source AI tools. It is now developed under IBM.

Behind the convenience is a structural weakness. Some of the blocks let users write and run their own Python (a programming language widely used in AI development), and that code runs directly on the Langflow server. In other words, "run a program on the server" is a built-in capability by design. The moment the front-door lock comes off, that capability becomes the takeover tool. The developers are aware of the risk; they are discussing fundamental fixes such as running user code inside hardware-isolated virtual machines.

What is happening, technically

According to vulnerability database records, CVE-2026-10561 combines a "builtins injection" in the Python execution block (PythonREPLComponent), which reaches internal functions it should not be able to touch, with an "authentication bypass" that slips past the login check. It is classified as CWE-94, "Improper Control of Generation of Code (Code Injection)."

The root cause is consistent: Langflow runs user-written Python directly in the server process with no sandbox. Endpoints exposed to the outside should always require a login, but when an authentication check is missing on some path, an attacker only needs to send crafted data to that endpoint to execute code on the server. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — over the network, low complexity, no privileges or user interaction, and impact that spreads beyond the component itself: every worst-case factor is present.

For reference, a separate Langflow flaw disclosed in March 2026 (CVE-2026-33017) was analyzed as a path where code sent to an unauthenticated "public flow build" endpoint reaches an unprotected exec() during graph construction. The endpoint and block differ, but the route — bypass the login, arrive at Python execution — is the same.

A second critical flaw disclosed the same day (CVE-2026-7664)

On the same June 22, 2026, IBM disclosed a second critical Langflow flaw (CVE-2026-7664, CVSS 9.8). This one is an authorization gap — the check of who is allowed to do what — on the "MCP" endpoint. MCP (Model Context Protocol) is a common standard for safely connecting AI agents to external tools and data, and Langflow supports it.

Through this flaw, an unauthenticated third party can access protected MCP project resources and execute MCP operations that should require a login. It is classified as CWE-287, "Improper Authentication." Unlike the arbitrary code execution of CVE-2026-10561 it is a different class of bug, but having a workflow's internal data and connections reachable without authentication is serious in its own right. It affects versions 1.0.0–1.8.4 and is fixed in 1.9.1 and later.

In other words, June 22 brought two critical Langflow flaws at once — one around code execution (CVE-2026-10561) and one around authentication/authorization (CVE-2026-7664). The good news: the update to 1.9.4 described below closes both at the same time.

Langflow has been targeted again and again

The frightening part is that this is not the first time. Critical RCE flaws in Langflow have surfaced repeatedly over the past year or so, and several were exploited in the wild shortly after disclosure. In 2025, an initial unauthenticated RCE (CVE-2025-3248) made it onto CISA's KEV catalog. In March 2026, a flaw in the public-flow endpoint (CVE-2026-33017) was exploited within about 20 hours of disclosure. Around May–June 2026, CVE-2025-34291 (CVSS 9.4) was added to KEV after reported abuse by MuddyWater, with U.S. federal agencies told to remediate by June 4.

The pattern shows Langflow is not a one-time target but a recurring one that attackers go after right after disclosure. Each new flaw drew attacks within hours to a day. As of this writing we cannot confirm that CVE-2026-10561 itself has been exploited, but given that track record, the window to respond should be assumed to be short. We also track major vulnerabilities across IBM products, including Langflow, in our IBM vulnerability roundup.

Confirmed vs. still unknown

✓ Confirmed facts

✓CVE-2026-10561 is CVSS 10.0 and leads to unauthenticated RCE (NVD / IBM)
✓Affected: 1.0.0–1.9.3; fixed in 1.9.4+ (Vulnerability-Lookup)
✓A second flaw disclosed the same day — an MCP authorization gap (CVE-2026-7664, CVSS 9.8, affects 1.0.0–1.8.4, fixed in 1.9.1+). Updating to 1.9.4 covers both
✓Langflow RCEs of this kind have repeatedly been exploited and KEV-listed (The Hacker News)

? Not yet confirmed

?Whether CVE-2026-10561 itself has been exploited in the wild — not on CISA KEV at the time of writing
?Whether a public proof-of-concept is circulating — no reliable public PoC tied to this CVE was confirmed at the time of writing

What to do now

The top priority is to update Langflow to 1.9.4 or later. If you run anything from 1.0.0 to 1.9.3, treat it as affected without exception, whether it is a test or internal instance. This update also closes CVE-2026-7664 (the MCP authorization gap) disclosed the same day.

If you cannot update right away, the practical stopgap is to cut off outside access. Langflow was never designed to be exposed directly to the open internet. Keep it behind your internal network or a VPN, restrict source IP addresses, or place an authentication layer in front of it (such as a reverse proxy) — any of these closes the attack surface. If you were already running it exposed, do not rely on the update alone: revoke and reissue any stored API keys and access tokens, and check for traces of suspicious processes or traffic.

You can find whether any of your Langflow servers are exposed to the internet with asset inventory tools or network scans. Test environments multiplied by the AI rush are often left open and unmanaged, so the starting point is simply knowing where your Langflow runs and how exposed it is.

Summary

CVE-2026-10561 is a flaw in the popular AI development tool Langflow that allows a login-free takeover at the maximum severity of 10.0. It affects 1.0.0–1.9.3, and a fix is available in 1.9.4. Because Langflow is designed to run user code on the server, an authentication gap maps directly to a full takeover, and flaws of the same kind have been targeted right after disclosure before.

In AI app development, handy tools spun up quickly tend to sit exposed on the internet and get forgotten. Use this as a prompt to review updates, exposure scope, and — above all — where your instances are actually running.