Security Bulletin: Cross-Tenant API Key Reuse and Billing Fraud in Langflow Voice Mode Subsystem

Summary

The voice mode subsystem (src/backend/base/langflow/api/v1/voice_mode.py) contains two critical vulnerabilities that enable cross-tenant API key reuse and billing fraud. The first vulnerability involves a process-global ElevenLabs client singleton that caches the first user's API key and reuses it for all subsequent tenants, causing unauthorized billing charges and TTS prompt/audio history to accumulate under the cache-winner's ElevenLabs account. The second vulnerability uses a session_id-keyed cache for OpenAI TTS clients that allows attackers to pre-position their API key and force victim traffic through their OpenAI account, resulting in billing misattribution and TOS-accountability redirection. Both vulnerabilities are exploitable by any authenticated low-privilege user without admin rights or flow ownership, require no victim interaction beyond normal voice mode usage, and leave no audit trail linking tenant requests to the actual API keys servicing them. The ElevenLabsClientManager singleton at lines 166-196 short-circuits on class-level state without re-validating user_id, while the tts_config_cache at line 510 keys only on client-controlled session_id values. Exploitation requires network access to the Langflow API (default port 7860), multiple user accounts on the instance, and at least one user with an ELEVENLABS_API_KEY variable configured. The vulnerability exists in default multi-tenant configurations and cannot be remediated without process restart. Impact includes mass billing fraud, TOS-suspension cascade against cache-winners, and structural economic failure for SaaS deployments where high-tier customers unknowingly subsidize all other tenants. Remediation requires replacing the class-level singleton with user_id-keyed dictionaries and keying tts_config_cache on (user_id, session_id) tuples with authentication validation at all cache access points.