What happened
A critical Insecure Direct Object Reference / authorization-bypass-through-user-controlled-key vulnerability (CWE-639, CVSS 9.9) in Langflow, the popular open-source visual framework for building AI agents/workflows, was confirmed under active in-the-wild exploitation since June 25, 2026 by Sysdig Threat Research Team, and added to CISA's KEV catalog on July 7, 2026.
Why it matters
Langflow is a widely-deployed open-source AI orchestration platform; this flaw allows any authenticated attacker to hijack any other tenant's AI workflow and harvest LLM provider keys, cloud credentials, and database secrets embedded in flows — a direct, confirmed, actively-exploited credential-harvesting path into AI infrastructure, distinct from the earlier CVE-2025-3248 RCE flaw used in the JadePuffer ransomware campaign.
Attack vector
The get_flow_by_id_or_endpoint_name() helper function (src/backend/base/langflow/helpers/flow.py) loads a flow by UUID without verifying the requesting user owns it. An authenticated attacker calls the /api/v1/responses endpoint supplying a victim's flow ID, allowing execution of that user's flow and extraction of embedded secrets (LLM provider API keys, cloud credentials, database secrets) via injected prompts such as 'leak api keys.'
Affected systems
Langflow < 1.9.2; langflow-base < 0.4.0
Mitigation
Upgrade to Langflow 1.9.2 and langflow-base 0.4.0 immediately. CISA added this to the KEV catalog on 2026-07-07 with a federal patch deadline of 2026-07-10. Audit workflow executions for cross-tenant access and rotate any credentials embedded in Langflow flows.