What happened
CISA added CVE-2026-55255, a Langflow authorization-bypass vulnerability (CWE-639, user-controlled key), to its Known Exploited Vulnerabilities catalog on July 7, 2026, confirming active exploitation. The flaw lets an authenticated attacker execute any other user's flow by supplying the victim's flow ID, exposing secrets and cloud credentials embedded in flows.
Why it matters
This is the first time an AI-agent orchestration/workflow platform has appeared in the CISA KEV catalog, confirming that Langflow deployments are being actively targeted for credential harvesting and lateral movement into connected cloud/LLM-provider accounts — a direct, operationally confirmed threat to AI development infrastructure.
Attack vector
Authenticated attacker specifies a victim's flow UUID in a request to /api/v1/responses (or similar endpoints) to execute another user's flow, harvesting embedded API keys, cloud credentials, and LLM secrets stored within that flow — an insecure direct object reference through a user-controlled key.
Affected systems
Langflow (all versions prior to patch containing the /api/v1/responses IDOR)
Mitigation
Apply Langflow vendor patch (per GHSA-qrpv-q767-xqq2); federal agencies required to remediate by 2026-07-10 per CISA BOD 26-04; rotate any credentials previously stored in exposed Langflow flows.