Insecure Direct Object Reference in Langflow Tool by Langflow AI
CVE-2026-55255

8.4HIGH

Key Information:

Status
Vendor
CVE Published:
23 June 2026

Badges

💰 Ransomware👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2026-55255?

The Langflow tool, designed for developing and managing AI-driven agents and workflows, suffers from an Insecure Direct Object Reference (IDOR) vulnerability in its /api/v1/responses endpoint. This flaw allows authenticated attackers to gain unauthorized access to another user's workflows by manipulating the flow ID in their requests, compromising the integrity and security of user data. The issue has been addressed in version 1.9.2, emphasizing the need for users to update promptly to safeguard their applications.

CISA has reported CVE-2026-55255

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-55255 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Affected Version(s)

langflow < 1.9.1

News Articles

Week in review: Accenture data breach, great open-source cybersecurity tools - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Securing the inbox: Where identity, brand and security

2 days ago

CISA orders feds to prioritize patching Langflow auth bypass flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies until Friday to patch an actively exploited vulnerability in the Langflow visual framework for building AI agents.

6 days ago

References

CVSS V3.1

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • đź’°

    Used in Ransomware

  • đź“°

    First article discovered by BleepingComputer

  • 👾

    Exploit known to exist

  • 🦅

    CISA Reported

  • Vulnerability published

  • Vulnerability Reserved

.