Skip to content

Langflow CVE-2026-55255 IDOR added to CISA KEV, patch to 1.9.2

CISA added the Langflow /api/v1/responses IDOR (CVE-2026-55255, CVSS 9.9) to KEV on July 7. Sysdig first observed exploitation on June 25. Third Langflow flaw to hit KEV in seven months.

Published 4 min read

CVE-2026-55255 — an insecure-direct-object-reference (IDOR) flaw in Langflow, the open-source visual builder for AI agents and RAG pipelines — was added to the CISA Known Exploited Vulnerabilities catalog on July 7, 2026, alongside two Joomla page-builder flaws. CVSS v3.1 is 9.9 (Critical) — vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. Federal civilian agencies must remediate by the KEV deadline. Vendor fix landed in Langflow 1.9.2; everything earlier is exposed.

What the bug does

The POST /api/v1/responses endpoint accepts a flow identifier supplied by the client. When the flow is resolved by UUID, the lookup queries the database with no owner check — the endpoint never verifies that the calling user owns, or is authorised to invoke, that specific flow. Any authenticated caller can execute any other user's flow by passing its UUID.

Because Langflow flows commonly wire in credentials for connected LLM providers, vector databases, cloud storage, and internal APIs, unauthorised execution cascades: the attacker inherits every secret the victim's flow can read. GitHub's advisory database classifies the defect as CWE-639, Authorization Bypass Through User-Controlled Key.

Affected versions

  • Langflow < 1.9.2

Fix landed in PR #12832, which adds an ownership check to the /api/v1/responses handler so a flow can only be executed by its owner or an explicitly authorised user. Docker images, pip install langflow, and self-hosted-but-managed deployments are all in scope — the vulnerable endpoint is on the default surface.

Exploitation status

Sysdig's Threat Research Team (TRT) reports first in-the-wild exploitation on June 25, 2026 — twelve days before CISA's KEV addition. Per Sysdig's write-up, the same operator combined CVE-2026-55255 with CVE-2026-33017, an unauthenticated RCE in Langflow's public flow-build endpoint (CVSS 9.3, disclosed March 17, 2026), against a single Langflow instance in the same week. The goal Sysdig ties to the campaign: code execution and second-stage implant delivery — loader/dropper-class payload, not smash-and-grab data theft.

No public IOCs, YARA rules, or Sigma rules have been published by Sysdig, CISA, or the Langflow project as of this writing. If detection artefacts land, we will update.

Action checklist

  1. Upgrade Langflow to 1.9.2 or later on every production and non-production instance. Pin the minimum in your dependency manifest — a next-image rebuild can silently downgrade.
  2. Pull Langflow off the public internet. Sit it behind a VPN or authenticated reverse proxy. Self-service AI tooling has no business listening on a public port; that assumption is what makes campaigns like this cheap.
  3. Rotate the credentials referenced by flows. Any LLM API key, database credential, or storage token wired into a flow on a pre-1.9.2 instance must be treated as leaked. Rotate in this order: cloud provider IAM tokens, database DSNs, third-party API keys.
  4. Audit flow execution logs back to at least June 25 (Sysdig's first-observed date). Look for executions where the calling user does not own the resolved flow — those are the primitive in action. If your build predates the audit logging Langflow added post-1.8, treat this as a strong nudge to upgrade twice.
  5. Assume CVE-2026-33017 chaining. If you are on any pre-1.9.2 build, you are also in scope for the unauth RCE. Both are patched by the same upgrade; do not stop at "we're not internet-exposed."

Context

This is the third Langflow CVE to land on the CISA (or VulnCheck) KEV catalog inside seven months. CVE-2025-34291 — a CORS-to-RCE chain — hit CISA KEV on May 21, 2026. CVE-2026-5027 — a path-traversal-to-RCE — hit VulnCheck's KEV on June 8. CVE-2026-55255 lands on CISA KEV on July 7. The through-line: Langflow's authorisation model was written for a single-tenant lab and shipped to a public-internet multi-tenant reality, and each patch closes one door without touching the presumption behind the others.

What other outlets missed

Most coverage frames CVE-2026-55255 as a "critical CVSS 9.9" story and stops there — but as Sysdig's post title argues, headline CVSS isn't a reliable predictor of what gets exploited. The Langflow pair Sysdig observed is instructive: attackers preferred an authenticated IDOR (which requires a foothold) over strictly higher-scored unauthenticated bugs elsewhere because the exposed Langflow instances already carried the trust boundary the attackers wanted to cross. If your triage skips authenticated bugs on internet-facing dev tooling, this is the case study for revising that heuristic.

Related stories