Langflow CVE-2026-55255: an auth bypass on AI agent workflows, now in the CISA KEV
> In short: CVE-2026-55255 is an IDOR (Insecure Direct Object Reference) flaw (CVSS 9.8) in Langflow, the open-source visual framework for building AI agents. An authenticated attacker can access other users' flows by sending a crafted request to /api/v1/responses with the victim's UUID. Actively exploited since June 25, 2026. CISA added it to its KEV catalog on July 7 with a one-week remediation deadline.
Why this matters to you
Langflow has become a default building block for teams shipping AI features: a drag-and-drop interface to wire LLMs, tools, and data sources into executable pipelines, plus a REST API to run them. If your product added an "AI assistant", a RAG chatbot, or an agent feature in the last 18 months, there's a real chance Langflow (or a similar framework) sits under it.
That makes AI orchestration layers a new high-value target — and CVE-2026-55255 is a textbook example of why.
The flaw in two sentences
It's an IDOR. The /api/v1/responses endpoint takes a flow identifier (flow_id, a UUID) and runs the corresponding flow — but it doesn't check that the caller owns or is authorized to access that flow. Send a request with someone else's UUID and you get their flow's data, the sensitive content it processes, and you consume their resources.
An IDOR is the most common authorization flaw in APIs — OWASP API1:2023 (BOLA). It is not an AI-specific bug. What makes it acute here is *what* Langflow flows contain: prompts, retrieved documents, connected data sources, model credentials, and often the LLM API keys the flow runs against.
What the attackers actually wanted
Sysdig's Threat Research Team, who observed the exploitation from June 25, was clear about motive: "code execution and second-stage implant delivery (loader/dropper class)." Their read: the attacker is opportunistic and financially motivated, and the two reliable yields of a compromised AI host are compute (the box joins a botnet or runs an implant) and credentials (LLM and cloud keys). Cheap, repeatable, low-sophistication tooling.
That matches the broader pattern: exposed AI infrastructure is being harvested for the value of the API keys it holds. A single leaked OpenAI or Anthropic key is worth real money on resale markets, and a Langflow instance is a concentrated stash of them.
This is not Langflow's first rodeo
Langflow has now had four CISA-flagged flaws in roughly a year:
The pattern tells you something: AI orchestration frameworks are being targeted continuously, and they ship fast on features and slower on security. If you embed one, treat it as internet-exposed infrastructure that needs its own patching SLA, network isolation, and credential hygiene.
What to do
/api/v1/responses to end users without an authorization layer in front of it.For an AI-feature team, the lesson is that the AI surface inherits every classic web vulnerability — IDOR, auth bypass, path traversal, RCE — and then adds new ones on top. The framework being "AI" does not change the basics; it makes them more expensive when they fire.
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
SharePoint CVE-2026-58644: a critical RCE zero-day added to the CISA KEV catalog
A deserialization flaw (CVSS 9.8) in Microsoft SharePoint Server lets an attacker authenticated as Site Owner execute arbitrary code remotely. Actively exploited as a zero-day, added to the CISA KEV catalog on July 16, 2026 with a July 19 remediation deadline.
LiteLLM CVE-2026-42271: command injection via MCP endpoints, actively exploited
A flaw in the LiteLLM proxy (CVSS 8.8) lets any API key holder execute commands on the server through the MCP test endpoints. CISA confirms active exploitation. If your SaaS has AI features, read this.
Gitea CVE-2026-20896: a one-header auth bypass shipped in the official Docker image
The official Gitea Docker image shipped `REVERSE_PROXY_TRUSTED_PROXIES=*`, so with reverse-proxy auth enabled, an unauthenticated internet client became whoever it claimed to be via the X-WEBAUTH-USER header. CVSS 9.8, actively exploited. Fix: Gitea 1.26.3 / 1.26.4.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.