CVE-2026-13446
IBM · Langflow OSS
IBM Langflow OSS versions 1.0.0 through 1.10.1 contain hard-coded credentials used for authentication and internal communication, which could be exploited by remote attackers.
Executive summary
IBM Langflow OSS contains hard-coded credentials, exposing the system to total compromise by unauthenticated remote attackers.
Vulnerability
This vulnerability involves the use of hard-coded credentials (CWE-798) for inbound authentication and outbound communication. The vulnerability is accessible to unauthenticated attackers over the network.
Business impact
A CVSS score of 9.8 indicates a critical risk, as hard-coded credentials provide an easy path for unauthorized access and administrative control over the application. Successful exploitation could result in full system compromise, data exfiltration, and the manipulation of underlying data structures or connected external components.
Remediation
Immediate Action: Update IBM Langflow OSS to version 1.10.2 to remove the hard-coded credentials and implement secure authentication practices.
Proactive Monitoring: Review audit logs for unauthorized access attempts or unusual authentication activity that may indicate an attacker is leveraging these known credentials.
Compensating Controls: Restrict access to the Langflow OSS instance via network-level controls such as VPNs or IP whitelisting to limit the exposure of the management interface.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The severity of this vulnerability cannot be overstated, as hard-coded credentials provide a direct bypass of authentication mechanisms. Organizations must apply the 1.10.2 update immediately to ensure the security of their Langflow deployment.