Vulnerability  ·  2026-07-10

Langflow IDOR (CVE-2026-55255) Actively Exploited for Credential Harvesting — Added to CISA KEV

VulnerabilityHigh impactGlobalCVE-2026-55255
A critical Insecure Direct Object Reference / authorization-bypass-through-user-controlled-key vulnerability (CWE-639, CVSS 9.9) in Langflow, the popular open-source visual framework for building AI agents/workflows, was confirmed under active in-the-wild exploitation since June 25, 2026 by Sysdig Threat Research Team, and added to CISA's KEV catalog on July 7, 2026.
Langflow is a widely-deployed open-source AI orchestration platform; this flaw allows any authenticated attacker to hijack any other tenant's AI workflow and harvest LLM provider keys, cloud credentials, and database secrets embedded in flows — a direct, confirmed, actively-exploited credential-harvesting path into AI infrastructure, distinct from the earlier CVE-2025-3248 RCE flaw used in the JadePuffer ransomware campaign.
The get_flow_by_id_or_endpoint_name() helper function (src/backend/base/langflow/helpers/flow.py) loads a flow by UUID without verifying the requesting user owns it. An authenticated attacker calls the /api/v1/responses endpoint supplying a victim's flow ID, allowing execution of that user's flow and extraction of embedded secrets (LLM provider API keys, cloud credentials, database secrets) via injected prompts such as 'leak api keys.'
Langflow < 1.9.2; langflow-base < 0.4.0
Upgrade to Langflow 1.9.2 and langflow-base 0.4.0 immediately. CISA added this to the KEV catalog on 2026-07-07 with a federal patch deadline of 2026-07-10. Audit workflow executions for cross-tenant access and rotate any credentials embedded in Langflow flows.
CISA KEV / TheHackerNews — CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEVThreatAft — CVE-2026-55255 Langflow IDOR Vulnerability
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →