CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-10140

criticalCVSS 9.6covered by 1 sourcefirst seen 2026-06-30
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of API clients across tenant boundaries. An authenticated attacker can manipulate cache state to cause requests from other users to be processed using incorrect upstream API credentials, leading to cross-tenant billing and accountability misattribution.

⚡ Watch CVE-2026-10140

Get an email if CVE-2026-10140 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-10140

CVE.org record

Embed the live status

CVE-2026-10140 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-10140 status](https://www.csirts.com/badge/CVE-2026-10140)](https://www.csirts.com/cve/CVE-2026-10140)