Insecure Direct Object Reference in Langflow Tool by Langflow AI
CVE-2026-55255
Key Information:
- Vendor
Langflow-ai
- Status
- Vendor
- CVE Published:
- 23 June 2026
Badges
What is CVE-2026-55255?
The Langflow tool, designed for developing and managing AI-driven agents and workflows, suffers from an Insecure Direct Object Reference (IDOR) vulnerability in its /api/v1/responses endpoint. This flaw allows authenticated attackers to gain unauthorized access to another user's workflows by manipulating the flow ID in their requests, compromising the integrity and security of user data. The issue has been addressed in version 1.9.2, emphasizing the need for users to update promptly to safeguard their applications.
CISA has reported CVE-2026-55255
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-55255 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Affected Version(s)
langflow < 1.9.1
News Articles
Week in review: Accenture data breach, great open-source cybersecurity tools - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Securing the inbox: Where identity, brand and security
2 days ago
CISA orders feds to prioritize patching Langflow auth bypass flaw
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until Friday to patch an actively exploited vulnerability in the Langflow visual framework for building AI agents.
6 days ago
References
CVSS V3.1
Timeline
- đź’°
Used in Ransomware
- đź“°
First article discovered by BleepingComputer
- 👾
Exploit known to exist
- 🦅
CISA Reported
Vulnerability published
Vulnerability Reserved
