CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog on July 7 and gave federal agencies until today, July 10, to patch under BOD 26-04. One of them, CVE-2026-55255 in Langflow, is the second time in four months that the open-source AI agent framework has landed on the KEV list — and the details show why a “medium” CVSS score is a bad reason to deprioritize a patch.
The Vulnerability
CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) flaw — CWE-639, authorization bypass through a user-controlled key — in Langflow’s /api/v1/responses endpoint. The root cause sits in a helper function, get_flow_by_id_or_endpoint_name, which looks up a flow by its UUID directly against the database without checking whether the requesting user actually owns it. Lookups by endpoint name do carry an ownership check; lookups by raw flow ID don’t.
The practical effect: any authenticated user — including a low-privilege account or one obtained through a separate compromise — can supply another user’s flow_id in a request and execute that victim’s flow. Because Langflow flows commonly embed API keys, database credentials, and LLM provider secrets as part of their configuration, executing someone else’s flow means running their pipeline with their embedded secrets.
Scoring on this one is inconsistent across sources, which is itself part of the story. CISA’s KEV entry lists it at CVSS 6.1; other trackers (KEVIntel, CIRCL) put it at 9.9, and GitHub’s advisory (GHSA-qrpv-q767-xqq2) scores it 8.4. Sysdig’s writeup on the vulnerability is framed explicitly around this discrepancy — a reminder that CVSS is a modeling exercise, not a measure of what attackers will actually do with a flaw, and it did not stop this one from being exploited within weeks of disclosure.
Affected: all Langflow versions prior to 1.9.1. Fixed in 1.9.1 and later, with 1.9.2 the currently recommended target — the patch adds an explicit ownership check that returns a 404 when a flow’s stored user_id doesn’t match the authenticated session.
Active Exploitation
Sysdig’s Threat Research Team observed the first in-the-wild exploitation of CVE-2026-55255 on June 25, 2026, with an earlier related wave on June 22. The observed attack chain followed a consistent pattern: an auto_login call, a request to /api/v1/flows/, then the exploit itself.
In the confirmed intrusions, attackers didn’t stop at reading a victim’s flow data. They injected a malicious custom Langflow component that, when built, shelled out to fetch a second-stage payload:
| |
Successful runs left behind a /tmp/lang_pwn marker file. Sysdig assesses the objective as code execution and second-stage implant delivery in the loader/dropper class — consistent with broader botnet-style scanning activity also tied to Langflow’s earlier flaw, CVE-2026-33017 (an unauthenticated RCE disclosed in March, previously covered on this site). In several cases attackers combined both bugs: using the IDOR to harvest LLM provider keys, cloud credentials, and database secrets embedded in other users’ flows, alongside RCE for direct code execution.
The Same-Day KEV Batch
CVE-2026-55255 didn’t land on KEV alone. CISA’s July 7 update added three other actively-exploited, maximum- or near-maximum-severity bugs, all carrying the same July 10 remediation deadline:
- CVE-2026-48282 (CVSS 10.0) — Adobe ColdFusion path traversal leading to arbitrary code execution.
- CVE-2026-56290 (CVSS 10.0) — Joomlack Page Builder CK, unauthenticated arbitrary file upload leading to RCE. Patched in 3.6.0; exploitation observed dropping web shells under
/media/com_pagebuilderck/gfonts/. - CVE-2026-48908 (CVSS 10.0) — JoomShaper SP Page Builder, an unauthenticated file upload via the
asset.uploadCustomIcontask, also leading to RCE and, in observed attacks, creation of a rogue Super User account. Patched in 6.6.2.
If you run any of Adobe ColdFusion, Joomla with either page builder extension, or Langflow, all four deadlines are today.
Who’s Affected and What to Do
Anyone running Langflow prior to 1.9.1 with multi-tenant usage (more than one user account with distinct flows) is exposed to credential and data theft between users, and potentially to the chained RCE path if CVE-2026-33017 is also unpatched. Given Langflow’s growing footprint in CI/CD and internal AI-agent tooling, a single compromised low-privilege account can now be leveraged to reach every other user’s secrets on the same instance.
Immediate steps:
- Upgrade to Langflow 1.9.2 (or at minimum 1.9.1) on every instance — production, staging, and CI.
- Also verify you’re actually on 1.9.0+ for CVE-2026-33017; a prior “patched” report of 1.8.2 was confirmed still exploitable (see our earlier coverage).
- Audit Langflow instance logs for the
auto_login→/api/v1/flows/→/api/v1/responsesrequest sequence, and for outbound connections to45.207.216.55:8084or the presence of/tmp/lang_pwn. - Rotate every credential embedded in any Langflow flow on an instance that was internet-reachable or multi-tenant prior to patching — API keys, database credentials, and LLM provider tokens should all be treated as burned.
- Restrict Langflow’s outbound network access where possible; the observed second-stage delivery relies on the compromised instance reaching attacker infrastructure directly.