SYS::ONLINE
Wasteland.
Briefs1238
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-13446 2026-07-17

IBM Langflow OSS Ships Hard-Coded Credentials in CVE-2026-13446

"IBM has disclosed a critical (CVSS 9.8) hard-coded credentials flaw in Langflow OSS that lets unauthenticated network attackers fully compromise affected deployments."

IBM has disclosed a critical (CVSS 9.8) hard-coded credentials flaw in Langflow OSS that lets unauthenticated network attackers fully compromise affected deployments.

What Is It

CVE-2026-13446 is a hard-coded credentials vulnerability (CWE-798) in IBM Langflow OSS versions 1.0.0 through 1.10.1. The software contains an embedded secret, such as a password or cryptographic key, that it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Because the credential is baked into the software, anyone who knows or recovers it can present it as valid.

Why It Matters

The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That combination is about as severe as it gets: the attack is remotely exploitable over the network, requires low complexity, needs no privileges, and requires no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; meaning an attacker can read protected data, tamper with it, and disrupt the service. Hard-coded secrets are also identical across every install, so a single recovered credential can generalize across deployments.

What's Vulnerable

Patch Status

IBM's Product Security Incident Response Team (PSIRT) is the disclosing source and has published a support advisory for this issue. Administrators running any Langflow OSS release from 1.0.0 through 1.10.1 should consult the IBM advisory below for remediation guidance and update accordingly.

Note: This CVE is not listed in the supplied CISA KEV data, so there is no confirmation of active exploitation from that source at this time.

Sources