Langflow Authorization Bypass Added to CISA’s KEV Catalog

Authors: Cloud Security Alliance AI Safety Initiative
Published: 2026-07-12

Categories: Agentic AI Security, Vulnerability Management
Download PDF

Langflow Authorization Bypass Added to CISA’s KEV Catalog

Cloud Security Alliance AI Safety Initiative | July 2026


Key Takeaways

  • CVE-2026-55255, an insecure direct object reference (IDOR) flaw in Langflow’s /api/v1/responses endpoint, allows any authenticated user to execute another user’s AI agent workflows simply by supplying that user’s flow ID, and CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on July 7, 2026 with a federal remediation deadline of July 10, 2026 [1][2].
  • Sysdig’s Threat Research Team observed a single operator chaining CVE-2026-55255 with an unauthenticated Langflow remote code execution flaw, CVE-2026-33017, against the same instance beginning June 22, 2026, using the IDOR to enumerate and hijack victim flows before injecting a “leak api keys” prompt to extract LLM provider, cloud, and database credentials [3][4].
  • Assessments of the vulnerability’s severity diverge sharply across sources: the National Vulnerability Database and GitHub’s advisory rate it 8.4 (High), while Sysdig and other threat intelligence vendors rate the same flaw 9.9 (Critical) — a gap that appears to reflect disagreement over how much weight to give its cross-tenant blast radius in a multi-tenant SaaS deployment (see “Why the CVSS Scores Disagree” below) [1][3].
  • The flaw affects all Langflow versions prior to 1.9.1; the fix, merged via pull request #12832, closes both the missing ownership check on UUID-based flow lookups and related hardening to the /api/v1/run* routes, and was fully released in version 1.9.1 [5][6].
  • Langflow is a widely deployed low-code platform for building AI agents and retrieval-augmented generation pipelines, with more than 150,000 GitHub stars [8] and ownership under DataStax since an April 2024 acquisition [7]; its popularity means an authorization defect in its execution engine could plausibly have consequences that extend well beyond a single vendor’s customer base.

Background

Langflow is an open-source, low-code visual builder for constructing AI agents and retrieval-augmented generation (RAG) applications, offering a drag-and-drop interface for assembling executable pipeline nodes alongside a REST API for programmatic execution [8]. Acquired by DataStax in April 2024 [7], the project has since grown to more than 150,000 GitHub stars [8], making it one of the most-starred agent orchestration frameworks on GitHub — a proxy for developer interest, though not a direct measure of production deployment. That scale of adoption means a defect in Langflow’s authorization model is not confined to a single deployment: any flaw that lets one tenant reach another tenant’s workflows can, in principle, be replayed across every organization running an exposed instance.

CVE-2026-55255 is that defect. Publicly disclosed on June 23, 2026 through GitHub Security Advisory GHSA-qrpv-q767-xqq2, the vulnerability is classified under CWE-639, Authorization Bypass Through User-Controlled Key [5][6]. The flaw sits in the get_flow_by_id_or_endpoint_name helper function in src/backend/base/langflow/helpers/flow.py, which resolves an incoming flow execution request either by a human-readable endpoint name or by the flow’s UUID. When a request supplies an endpoint name, Langflow correctly checks that the requesting user owns or has been granted execution rights to that flow. When a request instead supplies a raw UUID, no such ownership check occurs: the function queries the database for a matching flow ID and returns it regardless of who created it [3][6]. Because flow IDs are exposed through Langflow’s own GET /api/v1/flows/ listing endpoint, an attacker does not need to guess a UUID; the platform discloses the values needed to exploit the flaw.

This defect arrived on the heels of an unrelated but consequential Langflow vulnerability. CVE-2026-33017, an unauthenticated remote code execution flaw in the platform’s public flow-build endpoint, was disclosed in March 2026 and was itself added to the CISA KEV catalog with an April 8, 2026 federal deadline; CSA’s AI Safety Initiative published a research note on that vulnerability documenting exploitation beginning within 20 hours of disclosure and the deployment of cryptomining payloads across compromised instances [9]. CVE-2026-55255 is a separate code defect with a separate root cause, but its emergence in the same product within months of the RCE disclosure marks the second authorization- or input-validation-related KEV entry for Langflow within a single year — a track record specific to this platform that is consistent with, though not by itself independent confirmation of, the broader concern that AI agent orchestration platforms built for rapid experimentation may lag in authorization hardening.


Security Analysis

How the IDOR Works

The exploitation path for CVE-2026-55255 requires only two authenticated HTTP requests. First, the attacker calls GET /api/v1/flows/, an endpoint that discloses the flow metadata, including UUIDs, associated with the Langflow instance. Second, the attacker calls POST /api/v1/responses with the harvested UUID supplied as the model parameter and an arbitrary instruction as the input parameter. Sysdig documented the exact payload used by the threat actor it observed: a request specifying a victim’s flow ID alongside the input string “leak api keys” [3]. Because the endpoint resolves the flow by UUID without verifying that the caller owns it, Langflow executes the victim’s flow on the attacker’s behalf, using whatever credentials, tool integrations, and data sources that flow was configured to reach.

The consequence is not merely unauthorized data access in the traditional sense. Because the executed object is an AI agent workflow rather than a static resource, hijacking it can trigger real actions: calls to connected LLM providers using the victim’s API keys, queries against databases the flow was authorized to reach, and exposure of any secrets embedded in the flow’s configuration or conversation history. Sysdig characterized this as the IDOR’s ability to “cross the tenant boundary at the application layer” — meaning that in a multi-tenant SaaS deployment of Langflow, the vulnerability does not merely violate one user’s expectation of privacy within a single organization; it can, in principle, let one customer’s traffic execute another customer’s workflow entirely [4].

Chained Exploitation with CVE-2026-33017

Sysdig’s Threat Research Team identified the first confirmed in-the-wild exploitation of CVE-2026-55255 on June 25, 2026, two days after public disclosure, and traced related reconnaissance back to June 22 [3]. The observed campaign did not rely on the IDOR alone. The same operator, against the same Langflow instance, alternated between CVE-2026-55255 and CVE-2026-33017, the unauthenticated RCE flaw disclosed earlier in the year. Flow enumeration via the disclosure endpoint occurred at 03:41:13 UTC on June 25, followed within seconds by two IDOR exploitation attempts, and then by four sustained waves of RCE exploitation between 10:06 and 10:29 UTC the same day [3]. Sysdig noted that the operator treated the IDOR “as a two-request afterthought” relative to the far more resource-intensive RCE exploitation, a detail that may help explain why the IDOR — despite carrying the higher vendor-assessed CVSS score — drew comparatively little independent attacker attention prior to the KEV listing. The observed infrastructure included a source and staging IP of 45.207.216.55, a distinctive TLS client fingerprint, an external loader URL, and a filesystem execution marker left on compromised hosts, details that defenders can use for retrospective log review [3].

The table below summarizes the two Langflow vulnerabilities as a pair, since organizations patching one should verify their exposure to both.

Attribute CVE-2026-55255 (this note) CVE-2026-33017 (companion RCE)
Vulnerability type IDOR / authorization bypass (CWE-639) Unauthenticated remote code execution
Vulnerable endpoint /api/v1/responses Public flow build endpoint (build_public_tmp)
Authentication required Yes (any valid account) No
CVSS (NVD / vendor range) 8.4 High (NVD/GitHub); 9.9 Critical (Sysdig, third-party trackers) 9.8 Critical (NVD)
Disclosed June 23, 2026 March 2026
Patched version 1.9.1 1.9.0
Added to CISA KEV July 7, 2026 (deadline July 10) Earlier in 2026 (deadline April 8)
CSA prior coverage This note CSA research note, July 2, 2026 [9]

Why the CVSS Scores Disagree

The gap between NVD’s 8.4 rating and the 9.9 rating assigned by Sysdig and aligned threat intelligence sources is not a data error; it reflects a substantive disagreement about scope. NVD and GitHub’s advisory scored the vulnerability with an access complexity component that assumes some difficulty in obtaining a target’s flow ID. Sysdig’s higher score reflects the observed reality that Langflow’s own flow-listing endpoint makes ID enumeration trivial for any authenticated user, effectively eliminating the access complexity NVD’s scoring assumed [1][3]. This divergence is instructive for any organization triaging KEV entries by CVSS score alone: a scoring model that does not account for how easily an attacker can satisfy its preconditions can understate real-world exploitability, particularly for vulnerabilities embedded in platforms that expose enumerable identifiers by design.

The Federal Directive Context

CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog on July 7, 2026, requiring Federal Civilian Executive Branch agencies to remediate or discontinue use of affected instances by July 10, 2026, under Binding Operational Directive 26-04, CISA’s current directive governing prioritized remediation of actively exploited vulnerabilities [2]. CISA’s public guidance characterized the vulnerability class plainly: “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise” [2]. The listing arrived alongside three other actively exploited vulnerabilities in Adobe, Joomla, and related products, indicating that this particular KEV batch was not specific to AI tooling but part of a broader, concurrent set of additions [10].


Recommendations

Immediate Actions

Organizations running Langflow should confirm their deployed version and upgrade to 1.9.1 or later without delay, since that version is the one confirmed to fully close the authorization gap in the /api/v1/responses endpoint [6]. Because this vulnerability has been chained in the wild with CVE-2026-33017, any organization patching one CVE should verify remediation of both; an instance still vulnerable to the RCE flaw can be compromised regardless of the IDOR fix. Federal agencies operating past the July 10 deadline should treat remediation as overdue and escalate accordingly under BOD 26-04 [2]. Any organization that identifies an unpatched, internet-facing Langflow instance should rotate all credentials accessible to flows on that instance, including LLM provider API keys, cloud service credentials, and database secrets, since Sysdig’s observed campaign specifically targeted these values [3][4].

Short-Term Mitigations

Administrators should review Langflow access logs for the specific exploitation pattern documented by Sysdig: calls to GET /api/v1/flows/ followed closely by POST /api/v1/responses requests referencing flow IDs the requesting account does not own, particularly requests carrying credential-harvesting prompts. Organizations running multi-tenant Langflow deployments should audit whether tenant isolation is enforced anywhere other than at the authorization layer this vulnerability bypassed; relying solely on application-level ownership checks, as this incident demonstrates, is insufficient without independent verification that a request’s origin matches the resource it targets. Where feasible, restrict which accounts can invoke /api/v1/responses by UUID at all, and consider disabling or gating the flow-listing endpoint that made ID enumeration trivial for the observed attacker.

Strategic Considerations

CVE-2026-55255 illustrates a recurring theme in agentic AI platform security: authorization defects in these systems carry consequences beyond conventional data exposure, because the resource being accessed without authorization is an executable workflow with its own credentials and tool access. Organizations evaluating or operating AI agent orchestration platforms should require vendors to demonstrate that every resource-resolution code path, not just the primary or documented one, enforces ownership checks consistently, since this flaw persisted precisely because one resolution path (endpoint name) was hardened while a second, less obvious path (UUID) was not. Security teams should also treat the CVSS scoring divergence documented here as a caution against triaging AI infrastructure vulnerabilities on numeric severity alone; a platform’s own design choices, such as which identifiers it discloses to authenticated users, can materially change real-world exploitability in ways a base score may not capture.


CSA Resource Alignment

CSA’s AI Safety Initiative published a research note on Langflow’s companion vulnerability, CVE-2026-33017, on July 2, 2026, documenting the unauthenticated RCE flaw in the same product and the cryptomining campaign that followed its disclosure [9]. That note’s central argument, that AI development platforms accumulate high-value credentials without the hardening typically applied to production systems, applies with equal force to CVE-2026-55255: both vulnerabilities trace back to the same underlying gap between Langflow’s rapid feature development and the authorization rigor its multi-tenant deployment model requires.

CSA’s Securing LLM-Backed Systems: Essential Authorization Practices addresses this class of defect, providing design patterns for enforcing authorization checks consistently across every resource-resolution path in LLM-integrated systems, including the confused-deputy and identity-propagation failure modes that produce IDOR-style vulnerabilities in orchestrator architectures [11]. Organizations building or evaluating agent execution engines should use its guidance on external authorization checkpoints and least-privilege identity propagation as a direct remediation reference for the pattern exposed by CVE-2026-55255.

The CSA Agentic AI Red Teaming Guide includes Agent Authorization and Control Hijacking as one of its twelve core vulnerability categories for testing autonomous AI systems, with step-by-step methodologies for probing exactly the kind of cross-tenant execution flaw this note describes [12]. Security teams operating Langflow or comparable orchestration platforms should incorporate this category into pre-deployment and recurring red-team exercises rather than relying on vendor patch cycles alone to surface similar defects.

Finally, CSA’s Enterprise AI Security Starts with AI Agents survey report provides empirical grounding for why this vulnerability class remains common: 82% of surveyed organizations report the presence of AI agents operating in their environment that they were not aware of, 53% report agents that have exceeded their intended scope of access, and only 8% say their agents never exceed intended permissions, while 47% report experiencing an AI agent-related security incident in the past year [13]. CSA’s Identity and Access Gaps in the Age of Autonomous AI extends this picture, documenting how agents routinely inherit shared or human identities and operate under fragmented ownership models that make it difficult to enforce the kind of consistent, per-resource ownership check that CVE-2026-55255 shows was missing from Langflow’s UUID resolution path [15]. Together, these findings suggest that the authorization gap exploited in CVE-2026-55255 is not an isolated coding defect but symptomatic of an industry-wide shortfall in runtime authorization maturity that CSA’s AI Controls Matrix (AICM) v1.1 is designed to help organizations close through its identity and access management control domain [14].


References

[1] NVD. “CVE-2026-55255 Detail.” National Vulnerability Database, published June 23, 2026, updated July 8, 2026.

[2] BleepingComputer. “CISA Orders Feds to Prioritize Patching Langflow Auth Bypass Flaw.” BleepingComputer, July 2026.

[3] Sysdig. “Understanding Langflow CVE-2026-55255, and Why Higher CVSS Vulnerabilities Aren’t Always the Most Exploited.” Sysdig Threat Research Team, July 2026.

[4] Help Net Security. “Attackers Using Langflow Flaw for Credential Harvesting (CVE-2026-55255).” Help Net Security, July 8, 2026.

[5] GitHub Security Advisory Database. “GHSA-qrpv-q767-xqq2: IDOR Vulnerability in /api/v1/responses Endpoint Allows Authenticated Attackers to Access Another User’s Flow.” GitHub, June 2026.

[6] Langflow (langflow-ai). “Security Advisory GHSA-qrpv-q767-xqq2.” GitHub Repository, 2026.

[7] TechCrunch. “DataStax Acquires the Startup Behind Low-Code AI Builder Langflow.” TechCrunch, April 4, 2024.

[8] Langflow AI. “langflow-ai/langflow.” GitHub Repository, 2026.

[9] Cloud Security Alliance AI Safety Initiative. “CVE-2026-33017: Langflow RCE Exploits Enterprise AI Pipelines.” CSA Labs, July 2, 2026.

[10] The Hacker News. “CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV.” The Hacker News, July 2026.

[11] Cloud Security Alliance. “Securing LLM Backed Systems: Essential Authorization Practices.” CSA AI Technology and Risk Working Group, 2024.

[12] Cloud Security Alliance. “Agentic AI Red Teaming Guide.” CSA AI Organizational Responsibilities Working Group, 2025.

[13] Cloud Security Alliance. “Enterprise AI Security Starts with AI Agents.” CSA Research, 2026.

[14] Cloud Security Alliance. “AI Controls Matrix (AICM) v1.1.” Cloud Security Alliance, 2026.

[15] Cloud Security Alliance. “Identity and Access Gaps in the Age of Autonomous AI.” CSA Research, 2026.

← Back to Research Index