Back to blog
IA & LLMCVELangflowAI agents

Langflow CVE-2026-55255: an auth bypass on AI agent workflows, now in the CISA KEV

Published on 2026-07-086 min readCleanIssue

> In short: CVE-2026-55255 is an IDOR (Insecure Direct Object Reference) flaw (CVSS 9.8) in Langflow, the open-source visual framework for building AI agents. An authenticated attacker can access other users' flows by sending a crafted request to /api/v1/responses with the victim's UUID. Actively exploited since June 25, 2026. CISA added it to its KEV catalog on July 7 with a one-week remediation deadline.

Why this matters to you

Langflow has become a default building block for teams shipping AI features: a drag-and-drop interface to wire LLMs, tools, and data sources into executable pipelines, plus a REST API to run them. If your product added an "AI assistant", a RAG chatbot, or an agent feature in the last 18 months, there's a real chance Langflow (or a similar framework) sits under it.

That makes AI orchestration layers a new high-value target — and CVE-2026-55255 is a textbook example of why.

The flaw in two sentences

It's an IDOR. The /api/v1/responses endpoint takes a flow identifier (flow_id, a UUID) and runs the corresponding flow — but it doesn't check that the caller owns or is authorized to access that flow. Send a request with someone else's UUID and you get their flow's data, the sensitive content it processes, and you consume their resources.

An IDOR is the most common authorization flaw in APIsOWASP API1:2023 (BOLA). It is not an AI-specific bug. What makes it acute here is *what* Langflow flows contain: prompts, retrieved documents, connected data sources, model credentials, and often the LLM API keys the flow runs against.

What the attackers actually wanted

Sysdig's Threat Research Team, who observed the exploitation from June 25, was clear about motive: "code execution and second-stage implant delivery (loader/dropper class)." Their read: the attacker is opportunistic and financially motivated, and the two reliable yields of a compromised AI host are compute (the box joins a botnet or runs an implant) and credentials (LLM and cloud keys). Cheap, repeatable, low-sophistication tooling.

That matches the broader pattern: exposed AI infrastructure is being harvested for the value of the API keys it holds. A single leaked OpenAI or Anthropic key is worth real money on resale markets, and a Langflow instance is a concentrated stash of them.

This is not Langflow's first rodeo

Langflow has now had four CISA-flagged flaws in roughly a year:

  • CVE-2025-3248 (missing authentication, May 2025) — used by the JadePuffer ransomware operation to dump the PostgreSQL database.
  • CVE-2026-33017 (code injection, March 2026).
  • CVE-2026-5027 (path traversal, June 2026) — writing arbitrary files on exposed servers.
  • CVE-2026-55255 (this IDOR, July 2026).
  • The pattern tells you something: AI orchestration frameworks are being targeted continuously, and they ship fast on features and slower on security. If you embed one, treat it as internet-exposed infrastructure that needs its own patching SLA, network isolation, and credential hygiene.

    What to do

  • Patch immediately — CISA's one-week deadline for federal agencies is the right benchmark for any internet-exposed Langflow instance.
  • Stop exposing Langflow directly to the internet. Put it behind an authenticating gateway, restrict the API to your application's backend, and never expose /api/v1/responses to end users without an authorization layer in front of it.
  • Scope every flow's access. The framework makes it easy to give a flow an API key or a database connection — apply least privilege per flow, rotate the keys, and assume any of them can be exfiltrated through an IDOR like this one.
  • Add object-level authorization checks if you build on top of Langflow: every endpoint that takes an object identifier must verify the caller owns it. This is OWASP API1, and it is the single most common thing missing in AI feature APIs we audit.
  • Hunt for compromise if your instance was exposed: unknown flows, modified prompts, outbound traffic to unfamiliar endpoints, anomalous LLM API spend.
  • For an AI-feature team, the lesson is that the AI surface inherits every classic web vulnerability — IDOR, auth bypass, path traversal, RCE — and then adds new ones on top. The framework being "AI" does not change the basics; it makes them more expensive when they fire.

    Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit