Langflow CVE-2026-55255 KEV: AI Agent Flaw Explained

Langflow CVE-2026-55255 KEV

The Langflow CVE-2026-55255 KEV entry, added by CISA on July 7, marks the first time an AI agent orchestration platform has ever appeared in the Known Exploited Vulnerabilities catalog. The flaw carries a CVSS score of just 6.1 from CISA, yet KEVIntel and CIRCL independently score the same bug 9.9, because it lets an authenticated attacker steal another tenant’s LLM provider keys and cloud credentials with a single crafted request.

What Happened

CVE-2026-55255 is a cross-tenant insecure direct object reference (CWE-639) in Langflow’s /api/v1/responses endpoint, present in all versions before 1.9.2. The underlying helper function, get_flow_by_id_or_endpoint_name, resolved a flow from a client-supplied ID without ever checking whether the requesting user actually owned it. Any authenticated user could substitute another tenant’s flow ID and execute that flow with the victim’s own credentials.

Sysdig’s Threat Research Team observed a single operator (IP 45.207.216.55) weaponize the bug between June 22 and June 25, 2026, pairing it with a companion unauthenticated RCE flaw, CVE-2026-33017. The session followed a precise pattern: authenticate, enumerate flow IDs via /api/v1/flows/, then fire IDOR requests against /api/v1/responses with the payload prompt set — verbatim — to “leak api keys.” The operator then pivoted to the RCE for second-stage payload delivery, consistent with botnet or cryptojacking monetization.

CISA’s July 7 batch bundled this Langflow CVE-2026-55255 KEV entry with three unrelated CVSS 10.0 flaws — Adobe ColdFusion (CVE-2026-48282) and two Joomla page-builder extensions — all four carrying a federal remediation deadline of July 10 under Binding Operational Directive 26-04. This is the seventh distinct Langflow CVE exploited in roughly fourteen months, following CVE-2025-3248, CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, CVE-2025-34291, and CVE-2026-5027.

Why It Matters

CVE-2025-3248 — one of those six prior Langflow flaws — is the same entry point Sysdig documented on July 1 in JADEPUFFER, the first fully autonomous agentic-ransomware operation (DIESEC covered this July 8). Within one month, Langflow has been the doorway for a self-directed AI ransomware agent and the vault an attacker robbed of cloud and LLM credentials via IDOR. Both cases share a root cause: platforms built to connect AI agents to production credentials, databases, and APIs are, by design, a concentrated credential store — and every flaw in them inherits that blast radius.

For DACH organizations, the governance lesson is sharper than the technical one. CISA scored this flaw 6.1; two independent vulnerability databases scored it 9.9. A patch-prioritization process built purely on CVSS thresholds would have left this vulnerability sitting in a backlog while it was already being exploited. KEV catalog membership and EPSS exploitation-probability scores exist precisely to catch that gap — and increasingly, self-hosted Langflow deployments inside German Mittelstand AI initiatives (RAG pipelines, internal chatbots, LLM ops tooling adopted for data-sovereignty reasons) are exactly the kind of internet-facing instance this campaign targeted.

What You Should Do Now

  1. Update every Langflow instance to version 1.9.2 or later immediately — this adds the missing ownership check on the /api/v1/responses endpoint.
  2. Check whether your instance was internet-exposed at any point since late June; if so, treat credential rotation as mandatory, not precautionary.
  3. Rotate every API key, LLM provider credential (OpenAI, Anthropic, or others), and cloud access credential stored in any flow — the IDOR leaves no footprint distinguishable from normal flow execution except a mismatched flow ID in API logs.
  4. Audit /api/v1/responses access logs for cross-user flow ID patterns, and restrict Langflow API access to trusted internal networks going forward rather than exposing it to the public internet.

If a step above turns up evidence of prior access, treat it as a credential-compromise incident, not a patch gap — the whole point of this flaw is that exploitation looks identical to normal use.

DIESEC Perspective

We flagged this pattern in our July 8 JADEPUFFER post: Langflow’s function — connecting AI agents to production credentials — makes every flaw in it disproportionately dangerous relative to its CVSS score. CVE-2026-55255 confirms that lesson from the opposite direction: a low official severity score, a maximum-severity real-world impact, and CISA’s KEV catalog as the tiebreaker that patch-management processes built on CVSS alone would have missed.

Not sure whether your AI agent orchestration deployment has a gap like this? Contact DIESEC for a rapid credential-exposure and access-control review of your self-hosted AI tooling.

Sources: The Hacker News | Tech Times
Published: 2026-07-13 | Category: AI Security | ~4 min read