Critical IBM Langflow flaws let attackers run code remotely

IBM Langflow OSS has two critical vulnerabilities (CVE-2026-10561 and CVE-2026-7664) that allow unauthenticated remote code execution and authorization bypass, with a maximum CVSS score of 10.0. These flaws arise from missing trust boundaries and risky default configurations, exposing instances to potential attacks. No confirmed exploitation exists yet, but rapid patching is urged due to the platform's history of fast exploitation. Users are advised to upgrade to version 1.9.4 and to disable auto-login as an interim security measure.