IBM security researchers identified six critical vulnerabilities in Langflow OSS, allowing unauthorized code execution, data theft, and service disruption. These vulnerabilities include CVE-2026-10134, which permits unauthenticated remote code execution, CVE-2026-7803 allowing bypass of flow validations, and CVE-2026-7871 tied to insecure deserialization in the Redis cache, among others.
They pose significant risks to businesses, particularly in AI development, due to potential breaches affecting multi-tenant environments. Although no active exploitations are confirmed, a widespread use of Langflow raises concerns. It's recommended that administrators upgrade to version 1.10.1 or 1.10.0 to mitigate these vulnerabilities.