IBM has disclosed a critical (CVSS 9.8) hard-coded credentials flaw in Langflow OSS that lets unauthenticated network attackers fully compromise affected deployments.
What Is It
CVE-2026-13446 is a hard-coded credentials vulnerability (CWE-798) in IBM Langflow OSS versions 1.0.0 through 1.10.1. The software contains an embedded secret, such as a password or cryptographic key, that it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. Because the credential is baked into the software, anyone who knows or recovers it can present it as valid.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. That combination is about as severe as it gets: the attack is remotely exploitable over the network, requires low complexity, needs no privileges, and requires no user interaction. Successful exploitation yields high impact to confidentiality, integrity, and availability; meaning an attacker can read protected data, tamper with it, and disrupt the service. Hard-coded secrets are also identical across every install, so a single recovered credential can generalize across deployments.
What's Vulnerable
- Product: IBM Langflow OSS
- Affected versions: 1.0.0 through 1.10.1 (semver, all releases in that range)
- Weakness: CWE-798 (Use of Hard-coded Credentials)
Patch Status
IBM's Product Security Incident Response Team (PSIRT) is the disclosing source and has published a support advisory for this issue. Administrators running any Langflow OSS release from 1.0.0 through 1.10.1 should consult the IBM advisory below for remediation guidance and update accordingly.
Note: This CVE is not listed in the supplied CISA KEV data, so there is no confirmation of active exploitation from that source at this time.
Sources
- IBM Support Advisory; https://www.ibm.com/support/pages/node/7279991
- NVD, CVE-2026-13446, https://nvd.nist.gov/vuln/detail/CVE-2026-13446