Published: 2026-07-13
Categories: Vulnerability Management
Key Takeaways
- On July 7, 2026, CISA added CVE-2026-55255, a critical authorization-bypass flaw in the open-source AI agent platform Langflow, to its Known Exploited Vulnerabilities (KEV) catalog — Langflow’s third KEV entry in just over three months, and a marker of how central AI agent orchestration platforms have become to the catalog’s newest additions [1].
- The addition triggered a three-calendar-day remediation deadline of July 10, 2026, for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 26-04, CISA’s new risk-based patching framework issued a month earlier [2][3].
- CVE-2026-55255 carries a CVSS score of 9.9 and allows any authenticated Langflow user to execute another user’s AI workflows — and any credentials or tool integrations embedded in them — by supplying that user’s flow identifier to an unguarded API endpoint [4][5].
- This is Langflow’s third appearance in the KEV catalog since March 2026: an unauthenticated remote-code-execution flaw (CVE-2026-33017) whose vendor-issued patch was itself found to be incomplete, followed two months later by an origin-validation flaw (CVE-2025-34291) that the Iranian state-sponsored group MuddyWater weaponized for initial access [6][7][21][22]. The pattern illustrates why BOD 26-04 treats internet-facing AI infrastructure as a distinct, recurring risk category rather than a one-off incident.
- The episode functions as a live test of BOD 26-04’s four-variable risk matrix: it suggests the framework is capable of correctly routing an AI-platform vulnerability into its most urgent tier, but it also exposes how quickly a single software category can generate repeat, compounding exposure for agencies that have not inventoried where AI agent frameworks run.
Background
BOD 26-04, issued by CISA on June 10, 2026, replaced the calendar-based, CVSS-anchored patching rules that had governed federal vulnerability management for years with a four-variable risk matrix: whether an asset is publicly exposed, whether the vulnerability is listed in the KEV catalog, whether exploitation can be automated, and whether successful exploitation grants an attacker full technical control of the system [2][8]. CISA built the matrix around the Stakeholder-Specific Vulnerability Categorization (SSVC) methodology, mapping the sixteen possible combinations of those four variables onto five remediation timelines ranging from three days, for the narrow set of vulnerabilities that are internet-exposed, automatable, and grant total control, down to deferral until an asset’s next scheduled system upgrade for vulnerabilities that meet none of the criteria [9][10]. The directive’s stated rationale is explicit about the role AI now plays on both sides of the patching race: CSA’s own prior analysis has documented that the gap between a vulnerability’s public disclosure and its weaponized exploitation has compressed from months to hours, attributing the shift in part to AI systems that can generate working exploit code within minutes of an advisory’s publication [11][12]. Two earlier CSA research notes examined BOD 26-04’s mechanics in detail and traced its first real-world application to an unrelated Ivanti Sentry command-injection flaw; neither addressed how the directive would handle a vulnerability in AI infrastructure itself, which is the gap this note fills [11][12].
That gap closed within a month of the directive’s issuance. On July 7, 2026, CISA published an alert adding three vulnerabilities to the KEV catalog based on evidence of active exploitation: flaws in the JoomShaper and Joomlack WordPress page-builder plugins, and CVE-2026-55255, an authorization-bypass vulnerability in Langflow, an open-source, low-code platform for building and deploying AI agents and retrieval-augmented generation workflows that has accumulated more than 100,000 GitHub stars and was acquired by DataStax in 2024 [1][13][14]. Because CVE-2026-55255 met BOD 26-04’s criteria for public exposure, automatable exploitation, and full technical impact, it landed squarely in the directive’s three-day tier, giving FCEB agencies until July 10, 2026, to remediate it — a deadline CISA paired with its now-standard warning that “this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise” [1][4]. The Langflow addition is therefore both one entry in a routine weekly KEV update and, to date, the first concrete instance of BOD 26-04’s risk matrix being applied to an AI development platform rather than to conventional enterprise software.
Security Analysis
CVE-2026-55255 is an insecure direct object reference (IDOR) vulnerability, tracked under CWE-639, that resides in Langflow’s /api/v1/responses endpoint. The endpoint accepts a flow identifier supplied by the calling client but, prior to version 1.9.2, never verified that the requesting user actually owned or was authorized to invoke that specific flow [4][5]. Because Langflow flows routinely embed API keys for large language model providers, cloud credentials, and connections to downstream systems, an authenticated attacker who obtained another user’s flow identifier could execute that flow outright and harvest whatever secrets or access it carried [5][16]. Sysdig’s threat research team, which first observed exploitation in the wild on June 25, 2026, described attackers enumerating flow identifiers through the platform’s own listing endpoint and then replaying those identifiers against the vulnerable endpoint with prompts engineered to leak embedded API keys — a technique that produced working credential theft within roughly twenty seconds of reconnaissance and left few traces distinguishable from legitimate API activity [16]. That stealth helps explain why exploitation began nearly two weeks before the KEV listing: the activity resembled ordinary platform usage closely enough to evade casual detection, in contrast to the noisier, internet-sprayable exploitation pattern of Langflow’s earlier flaw.
That earlier flaw, CVE-2026-33017, disclosed on March 17, 2026, was an unauthenticated remote-code-execution vulnerability in the /api/v1/build_public_tmp/{flow_id}/flow endpoint that allowed arbitrary Python code embedded in a flow definition to run on the server without sandboxing [6][17]. It was weaponized within twenty hours of disclosure, before any public proof-of-concept existed, against an estimated 7,000 internet-exposed Langflow servers, with attackers deploying a Monero cryptomining payload that also disabled host security controls and wiped logs [18]. Independent testing by JFrog subsequently found that version 1.8.2, which vendor guidance had described as remediated, remained fully exploitable because the security fix referenced in the advisory was never actually present in that release’s code; only version 1.9.0 closed the flaw [7].
Between those two incidents, Langflow accumulated a second KEV-catalog entry that CISA added on May 21, 2026, with a June 4, 2026 federal remediation deadline: CVE-2025-34291, an origin-validation flaw with a CVSS score of 9.4 [21]. The vulnerability chained three weaknesses that were individually unremarkable but jointly severe — an overly permissive CORS configuration (allow_origins='*' paired with allow_credentials=True), the absence of CSRF protection on a refresh-token cookie set to SameSite=None, and a code-execution endpoint that functioned exactly as designed — so that a victim who merely visited an attacker-controlled webpage while authenticated to Langflow could have a fresh access-and-refresh-token pair stolen and used to reach the same code-execution functionality and embedded credentials at risk in the platform’s other two incidents [21][22]. CISA and independent researchers attributed active exploitation to MuddyWater, an Iranian state-sponsored group that used the flaw for initial access into government, telecommunications, and energy-sector networks across the Middle East, Central Asia, and North Africa [21][22]. CSA’s AI Safety Initiative published a research note on this incident at the time, examining Langflow’s orchestration layer as the kind of high-risk integration point that the MAESTRO framework identifies for aggregating credentials and executing model-generated instructions [23].
Read together, the three incidents show the same platform shipping three critical, internet-exploitable vulnerabilities in roughly four months — one incompletely patched on the first attempt, one weaponized by a nation-state actor for initial access, and one that let any authenticated user hijack another user’s workflows — and that cadence is what elevates Langflow from an isolated CVE to a recurring risk category. For an agency asset inventory, that cadence arguably matters more than any single CVE in isolation: a risk-based framework that scores each vulnerability independently can still under-weight a platform that has now demonstrated a pattern of rapid, repeat exploitability.
BOD 26-04’s shift away from CVSS as the primary sorting variable is directly relevant here. CSA’s prior research has documented structural weaknesses in CVSS and CVE data as prioritization tools, including inconsistent scoring across vendors and databases and a persistent lag between disclosure and authoritative severity assignment [19]. CVE-2026-55255’s 9.9 CVSS score and CVE-2026-33017’s 9.8 score both happen to be high, so in this instance CVSS and BOD 26-04’s KEV-plus-exposure logic point to the same urgency. But arguably, the more informative signal here was not the numeric score; it was exposure (Langflow instances are routinely deployed with public endpoints for agent orchestration), automatability (both flaws required only a single crafted HTTP request), and technical impact (both granted access to the credentials and workflows that make an AI agent platform valuable in the first place). That is precisely the reasoning BOD 26-04’s matrix is designed to formalize, and this episode is early evidence that the formalization works as intended for AI infrastructure, not just for traditional enterprise software.
Recommendations
Immediate Actions
Organizations running Langflow, whether self-hosted or through DataStax’s managed offering, should confirm they are on version 1.9.2 or later and treat any instance still on an earlier release as presumptively compromised pending log review, given that exploitation of CVE-2026-55255 began June 25, exploitation of CVE-2026-33017 began within hours of its March disclosure, and CVE-2025-34291 was already being actively exploited by a nation-state actor when CISA added it to the KEV catalog in May [4][6][21]. Federal agencies subject to BOD 26-04 should verify that Langflow assets are correctly tagged as publicly exposed where applicable, since the directive’s three-day deadline and mandatory forensic-triage requirement apply only when that exposure variable is recorded accurately [3][9]. Any organization that cannot rule out prior exploitation should rotate all credentials — LLM provider keys, cloud service credentials, and database connection strings — that were reachable from affected Langflow flows, mirroring the credential-harvesting objective observed across all three incidents [5][18][22].
Short-Term Mitigations
Security teams should extend asset discovery processes to explicitly capture AI agent and workflow orchestration platforms. These tools are often adopted directly by data science or engineering teams, which can place them outside standard software procurement and conventional vulnerability scanning scope. Network segmentation and authentication in front of AI agent platforms — rather than relying on the platform’s own authorization logic — would likely have blunted all three Langflow incidents, since CVE-2026-55255 specifically defeated an authorization check that existed but was implemented incorrectly. Agencies and enterprises alike should also treat vendor patch announcements for AI infrastructure with the same verification discipline recommended for CVE-2026-33017’s incomplete fix: confirming through independent testing or changelog review that a released version actually contains the described remediation before closing out a finding [7].
Strategic Considerations
BOD 26-04’s five-tier matrix gives agencies a defensible way to triage the growing volume of vulnerabilities in AI development platforms without defaulting to CVSS scores that CSA has previously shown to be an unreliable proxy for actual risk [9][19]. But the Langflow pattern — three KEV-catalog appearances in roughly four months, including one incompletely patched fix and one nation-state initial-access campaign — suggests that per-vulnerability risk scoring should be paired with platform-level risk tracking. Langflow’s repeat appearances indicate that, at least in this case, platform-level history would have been a useful early-warning signal: an asset that has already appeared in the KEV catalog once may carry elevated likelihood of appearing again, though confirming that pattern as a general rule across other platforms is a hypothesis for further study rather than an established practice recommendation. As AI agent frameworks proliferate across both public and private sector environments, this is likely to be the first of many cases where a risk-based directive built around traditional IT assets is tested against the faster release cadence, broader attack surface, and higher-value credential exposure characteristic of AI infrastructure.
CSA Resource Alignment
This note builds directly on three prior CSA AI Safety Initiative research notes: “CISA BOD 26-04: AI Threat Forces 3-Day Critical Patch Mandate,” which detailed the directive’s four-variable risk matrix and its first application to a non-AI vulnerability; “CVE-2026-33017: Langflow RCE Exploits Enterprise AI Pipelines,” which documented Langflow’s first KEV-catalog appearance and its incomplete initial patch; and “Langflow CVE-2025-34291: RCE in AI Workflow Platforms,” which examined the platform’s second KEV-catalog appearance and MuddyWater’s exploitation of it for initial access. This note extends all three by examining the directive’s application to the same platform’s third appearance and the pattern that recurrence establishes. CSA’s “The ‘AI Vulnerability Storm’: Building a ‘Mythos-ready’ Security Program” provides the broader strategic context for why AI-accelerated vulnerability discovery and exploitation now compresses patching timelines across the industry, not only within the federal government. CSA’s “Top Concerns With Vulnerability Data” underpins this note’s analysis of why BOD 26-04’s move away from CVSS as a primary sorting variable is a defensible response to well-documented weaknesses in CVE and CVSS data quality. Organizations formalizing controls for AI agent platform vulnerability management should also map these practices to the AI Controls Matrix (AICM) v1.1’s Threat and Vulnerability Management and Application and Interface Security domains, which establish baseline expectations for identifying, tracking, and remediating vulnerabilities in AI systems and the infrastructure that supports them [20].
References
[1] CISA. “CISA Adds Three Known Exploited Vulnerabilities to Catalog.” Cybersecurity and Infrastructure Security Agency, July 7, 2026.
[2] CISA. “BOD 26-04: Prioritizing Security Updates Based on Risk.” Cybersecurity and Infrastructure Security Agency, June 10, 2026.
[3] CISA. “BOD 26-04: Implementation Guidance for Prioritizing Security Updates Based on Risk.” Cybersecurity and Infrastructure Security Agency, 2026.
[4] BleepingComputer. “CISA Orders Feds to Prioritize Patching Langflow Auth Bypass Flaw.” BleepingComputer, July 2026.
[5] SentinelOne. “CVE-2026-55255: Langflow Authentication Bypass Vulnerability.” SentinelOne Vulnerability Database, 2026.
[6] Sysdig. “CVE-2026-33017: How Attackers Compromised Langflow AI Pipelines in 20 Hours.” Sysdig, 2026.
[7] JFrog Security Research. “Langflow CVE-2026-33017: Latest ‘Fixed’ Version Is Still Exploitable.” JFrog, 2026.
[8] DarkReading. “CISA Rewrites Federal Patching Requirements for AI Threat Era.” DarkReading, 2026.
[9] Nucleus Security. “Get to Know CISA BOD 26-04: Risk-Based Security Update Prioritization.” Nucleus Security, 2026.
[10] Tenable. “What Is CISA BOD 26-04: Impact on Vulnerability Remediation.” Tenable, 2026.
[11] Cloud Security Alliance. “CISA BOD 26-04: AI Threat Forces 3-Day Critical Patch Mandate.” CSA AI Safety Initiative, 2026.
[12] Cloud Security Alliance. “From Executive Order to Enforcement: BOD 26-04’s Patch Signal.” CSA AI Safety Initiative, July 7, 2026.
[13] Langflow. “Langflow: Low-Code AI Builder for Agentic and RAG Applications.” Langflow, 2026.
[14] TechCrunch. “DataStax Acquires Logspace, the Startup Behind the Langflow Low-Code Tool for Building RAG-Based Chatbots.” TechCrunch, April 4, 2024.
[15] Qualys ThreatPROTECT. “CISA Warns About Langflow Authorization Bypass Vulnerability Exploitation (CVE-2026-55255).” Qualys, July 10, 2026.
[16] Sysdig. “Understanding Langflow CVE-2026-55255, and Why Higher CVSS Vulnerabilities Aren’t Always the Most Exploited.” Sysdig, 2026.
[17] NVD. “CVE-2026-33017 Detail.” National Vulnerability Database, 2026.
[18] Trend Micro. “From Langflow to Monero: Inside CVE-2026-33017 Cryptominer.” Trend Micro Research, 2026.
[19] Cloud Security Alliance. “Top Concerns With Vulnerability Data.” Cloud Security Alliance, 2025.
[20] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.1.” Cloud Security Alliance, 2026.
[21] The Hacker News. “CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV.” The Hacker News, May 2026.
[22] Obsidian Security. “CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform.” Obsidian Security, 2026.
[23] Cloud Security Alliance. “Langflow CVE-2025-34291: RCE in AI Workflow Platforms.” CSA AI Safety Initiative, May 22, 2026.