Close Menu
  • Threat Intelligence
    • Cyber Attacks & Exploits
    • Data Breaches
    • Malware Analysis
  • Security Tools
    • Cybersecurity Tool Reviews
    • Cybersecurity Tools
    • Top 10 Security Tools
  • News & Updates
    • Cybersecurity Weekly Report
    • Industry Updates
  • Endpoint & System Security
  • Mobile Security
  • Cyber Insurance
  • Cyber law & Compliance
X (Twitter) LinkedIn WhatsApp
Trending
  • Langflow CVE-2026-55255: Inside CISA’s First AI Agent Platform KEV Listing
  • Cybersecurity Weekly Report: July 6 – 12, 2026
  • Mobile App Penetration Testing 2026: OWASP MASVS Testing Checklist
  • 5 New Prompt Injection Attacks Target AI Agents
  • Top 10 Best SIEM Tools 2026: Enterprise Security Platforms Compared & Ranked
  • Cybersecurity weekly report : June 29 – July 5, 2026 – CyberInfos
  • Cybersecurity Weekly Report: June 8 -14, 2026 | CyberInfos
  • How CVE Lite CLI Brings Dependency Security to Your Terminal
Friday, July 17
Cyber infos
X (Twitter) LinkedIn WhatsApp
  • Threat Intelligence
    • Cyber Attacks & Exploits
    • Data Breaches
    • Malware Analysis
  • Security Tools
    • Cybersecurity Tool Reviews
    • Cybersecurity Tools
    • Top 10 Security Tools
  • News & Updates
    • Cybersecurity Weekly Report
    • Industry Updates
  • Endpoint & System Security
  • Mobile Security
  • Cyber Insurance
  • Cyber law & Compliance
Cyber infos
Data Breaches

Langflow CVE-2026-55255: Inside CISA’s First AI Agent Platform KEV Listing

V DiwaharBy V DiwaharJuly 17, 2026No Comments13 Mins Read
Facebook Twitter Pinterest LinkedIn WhatsApp Copy Link
Share
Facebook Twitter Pinterest Threads Copy Link

CISA’s Known Exploited Vulnerabilities catalog has flagged thousands of flaws across routers, servers, and enterprise software. Until July 7, 2026, it had never listed a single vulnerability inside an AI agent platform until Langflow CVE-2026-55255 changed that.

Security researchers had already caught attackers exploiting the flaw in the wild nearly two weeks before CISA’s confirmation landed. That gap should worry any SOC team, because most vulnerability-management programs still don’t track AI agent platform vulnerability categories the way they track servers and endpoints. Credentials, API keys, and cloud tokens sit inside these workflows in plain sight, and very few teams are watching for it.

Left unpatched, a single Langflow authorization bypass can hand an attacker every credential a workflow touches cloud access, LLM provider keys, and anything downstream of it. For organizations already stretched thin on AI governance, that’s a breach waiting to be discovered the hard way.

This report breaks down exactly how the flaw works and what Sysdig observed when Langflow exploited in the wild for real. It also covers the exact patch and credential-rotation steps SOC teams need to run this week.

Table of Contents hide
1 Quick Answer
2 What Happened
3 How the Vulnerability Works
4 Confirmed Exploitation in the Wild
5 Why CISA’s Scoring Doesn’t Match Everyone Else’s
6 CyberInfos Analyst Insight
7 The Bigger Picture: AI Agent Security in 2026
8 Real-World Examples
9 Actionable Checklist
10 FAQ
11 Final Thoughts

Quick Answer

Langflow CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) vulnerability in Langflow, an open-source platform for building AI agents and workflows. On July 7, 2026, CISA added it to the Known Exploited Vulnerabilities (KEV) catalog – the first time an AI agent platform vulnerability has ever appeared on that list. Attackers with valid credentials can invoke another user’s AI workflow by guessing or harvesting its ID, exposing embedded API keys and credentials. Patch to the latest Langflow release and rotate every credential stored in any flow.

What Happened

On July 7, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: flaws in JoomShaper’s SP Page Builder, Joomlack’s Page Builder, and Langflow – an open-source tool used to build and deploy AI-powered agents and workflows.

The Langflow entry, tracked as CVE-2026-55255, marks the first time CISA has listed a Langflow vulnerability – or any AI agent platform vulnerability on the KEV catalog. Federal civilian agencies had until July 10, 2026 to remediate under Binding Operational Directive (BOD) 26-04. That deadline has already passed as of this writing.

Sit with that for a second. The KEV catalog exists to flag vulnerabilities CISA has confirmed are being exploited in real attacks, not theoretical risks. For years, “AI security” conversations in this industry mostly lived in the realm of prompt injection research and red-team demonstrations. Not anymore. This is CISA formally confirming that a CISA KEV AI agent platform entry now sits in the same exploited-in-production category as SharePoint, Cisco IOS, and enterprise VPN appliances.

How the Vulnerability Works

Langflow CVE-2026-55255 is an IDOR flaw, tracked under CWE-639 (Authorization Bypass Through User-Controlled Key). It lives in Langflow’s /api/v1/responses endpoint, which exposes each Langflow “flow” as a callable model OpenAI-Responses-API-compatible, with the flow’s UUID passed as the model parameter.

The root cause is simple to state and expensive to have missed: a missing ownership check. In the get_flow_by_id_or_endpoint_name helper function, when a flow is resolved by its UUID, Langflow queried the database without verifying that the requesting user actually owned that flow. Any authenticated user who obtained a valid flow ID could execute someone else’s flow – including any API keys, LLM provider credentials, or cloud access tokens embedded in it. That’s the Langflow authorization bypass at the heart of this story, in one sentence.

Two details matter for anyone triaging this:

  • The flow UUID is 122 bits of randomness, so it can’t be brute-forced. Exploitation depends on an attacker first obtaining a valid ID typically by enumerating the /api/v1/flows/ list endpoint, which discloses flow IDs to any authenticated caller.
  • A separate resolution path, using an endpoint_name instead of a UUID, does enforce ownership correctly. Only the UUID lookup path was vulnerable.

The fix adds an explicit ownership check: if a flow’s stored user_id doesn’t match the authenticated session’s user_id, the endpoint now returns a 404 instead of executing the flow. Langflow shipped this fix in pull request #12832. Sources disagree on the exact Langflow patch update that carries it in full some advisories cite 1.9.1, others cite 1.9.2. Rather than chase the discrepancy, the safest move is to update to the latest available Langflow release and confirm PR #12832 is included in whatever build you’re running.

Sysdig-documented attacker session exploiting Langflow CVE-2026-55255 with a leak api keys
Sysdig traced a single operator chaining CVE-2026-55255 and CVE-2026-33017 in one session on June 25, 2026.

Confirmed Exploitation in the Wild

Langflow exploited in the wild is no longer hypothetical. Cloud security firm Sysdig’s Threat Research Team documented the first known exploitation of this Langflow IDOR exploit on June 25, 2026 – nearly two weeks before CISA’s catalog addition. A single operator, tracked to IP address 45.207.216.55, returned to an internet-exposed Langflow instance they had first probed three days earlier and ran a methodical session: authentication reconnaissance, flow enumeration via /api/v1/flows/, the IDOR exploit itself, and then a sustained round against a separate Langflow remote code execution flaw, CVE-2026-33017.

Twenty seconds before firing the IDOR exploit, the operator pulled the flow list, harvested IDs, and replayed one as the model parameter on POST /api/v1/responses – with the input "leak api keys". That’s a prompt, not an exploit payload in the traditional sense. The attacker was using the hijacked flow’s own execution context to try to make it disclose the credentials embedded inside it.

CVE-2026-33017, the RCE running alongside it, is well-trodden ground by comparison. CISA added it to KEV back on March 25, 2026, and Sysdig previously reported roughly 7,000 exposed Langflow servers came under attack within about 20 hours of its disclosure used for AWS key theft, .env/database file harvesting, and deployment of malicious NATS worker processes.

Sysdig’s read on how the attacker split effort between the two bugs is genuinely instructive: the higher-scored IDOR got a quick, two-request treatment, while the lower-scored RCE got sustained attention, simply because it was easier to weaponize on that particular target. This is, according to Sysdig, the seventh distinct Langflow vulnerability to see active or recent exploitation over the past year.

Three separate 2026 incidents show a consistent pattern of AI agent infrastructure targeted for credential and financial theft.
Timeline of 2026 Langflow and AI agent security incidents from March to July

Why CISA’s Scoring Doesn’t Match Everyone Else’s

Check multiple vulnerability trackers for this CVE and you’ll notice the CVSS scores don’t agree. That’s worth flagging rather than picking one number and moving on. CISA’s own KEV entry lists a base score of 6.1. Independent trackers KEVIntel and the CIRCL vulnerability database score the same flaw at 9.9. At least one third-party tracker lists 8.4.

That’s not a data-entry error – it’s a real disagreement about how much weight to give the vulnerability’s cross-tenant scope. On a single-tenant, self-hosted Langflow instance, an attacker armed with the IDOR can’t do much the already-KEV-listed RCE (CVE-2026-33017) couldn’t already do.

But on a managed or multi-tenant Langflow deployment, where the RCE is typically sandboxed per tenant, the IDOR becomes the only path that crosses from one customer’s environment into another’s credentials – and it does so without leaving a footprint distinguishable from normal flow execution in most logging setups. KEVIntel and CIRCL weighted that cross-tenant blast radius heavily. CISA’s published number didn’t.

The practical lesson: a KEV listing means confirmed active exploitation, full stop, regardless of which CVSS number is attached to it. If your Langflow deployment is multi-tenant or managed by a third party, treat this as more urgent than the CISA score alone would suggest.

CyberInfos Analyst Insight

Here’s the challenge with this one: the Langflow KEV listing matters less for the specific bug IDOR flaws are a known, well-understood class of vulnerability and more for what it confirms about where SOC teams’ asset inventories are already blind. Most vulnerability-management programs were built to track servers, endpoints, and web applications. Very few list “AI agent platforms” or “AI workflow orchestration tools” as a distinct, tracked asset category, even though these platforms now hold the exact class of secrets – API keys, cloud credentials, LLM provider tokens  that a credential-stealing attacker actually wants.

A common mistake we’d flag here: teams patch the CVE and consider the incident closed. That’s not enough for this particular flaw. Because the exploitation path leaves minimal log signal, patching alone doesn’t answer the question “was I already compromised?” Credential rotation for anything stored in a flow not just the patch is the correct closing action, even on instances with no direct evidence of exploitation.

Infographic of 2026 AI agent security statistics including prompt injection rise and EU AI Act fines
Prompt injection attempts are up 340% year-over-year, with 88% of AI-agent-running

The Bigger Picture: AI Agent Security in 2026

This KEV listing lands in the middle of a broader, well-documented shift in how AI agents get attacked. Prompt injection remains the number one entry on the OWASP LLM Top 10 in 2026, and multiple independent reports place the year-over-year increase in documented injection attempts against enterprise AI systems at roughly 340%. Indirect attacks instructions hidden in a document, email, or web page rather than typed directly now account for more than half of incidents, and convert at a notably higher rate than direct attempts.

Separately, industry research on organizations running AI agents found that 88% reported at least one related security incident, with 61% traced back to over-permissioned credentials and roughly a third involving prompt injection specifically. The connective tissue across a lot of 2026’s AI-agent incidents, this one included, is the Model Context Protocol (MCP) and adjacent agent-orchestration infrastructure treated by a growing number of researchers as a supply-chain risk category in its own right, not just a prompt-handling problem.

At the same time, there’s a regulatory clock attached for any organization with EU-facing operations: the EU AI Act’s provisions for general-purpose AI models carry enforcement from August 2, 2026, with fines that can reach €35 million or 7% of global annual turnover for insufficient guardrails.

Real-World Examples

  • The Sysdig-documented Langflow campaign (June 25, 2026): covered in detail above -a single operator chaining CVE-2026-55255 and CVE-2026-33017 against the same self-hosted Langflow instance in one session, with a credential-exfiltration prompt as the payload.
  • CVE-2026-33017 mass exploitation (March 2026): roughly 7,000 internet-exposed Langflow servers came under attack within approximately 20 hours of that RCE’s disclosure – a reminder of how fast exploitation follows disclosure once a Langflow flaw goes public.
  • Prompt-injection-driven crypto payment fraud (reported July 2026): researchers documented threat actors embedding indirect prompt injections in malicious websites and manipulated search results, specifically to trick autonomous AI agents into making cryptocurrency payments or trusting fraudulent platforms. Different attack surface — browsing agents rather than a hosted flow platform – but the same underlying theme: agent infrastructure targeted for credential and financial theft.
Checklist for remediating Langflow CVE-2026-55255 including patching and credential rotation
Eight concrete steps SOC teams should complete this week to remediate CVE-2026-55255.

Actionable Checklist

  • Inventory every Langflow instance in your environment – self-hosted, managed, and shadow deployments spun up by individual teams
  • Update Langflow to the latest available release and confirm PR #12832 (the ownership-check fix) is included
  • Rotate every API key, LLM provider credential, and cloud access credential stored in any Langflow flow – treat this as mandatory, not precautionary, on any internet-exposed instance
  • Audit /api/v1/responses access logs for cross-user flow ID access patterns
  • Never expose Langflow’s code-execution or flow-validation endpoints directly to the public internet
  • Move credentials out of flow environments/environment variables and into a dedicated secrets manager
  • Restrict network access to the Langflow API to trusted, authenticated networks only
  • If your deployment is multi-tenant or managed, treat this as higher priority than the CISA CVSS score alone suggests
  • Add “AI agent / AI workflow platforms” as a tracked asset category in your vulnerability management program going forward

FAQ

What is CVE-2026-55255?

It’s an Insecure Direct Object Reference (IDOR) vulnerability in Langflow, an open-source AI agent and workflow platform. It allows an authenticated attacker to execute another user’s flow and access any credentials embedded in it — by supplying that flow’s ID.

Is Langflow actually being exploited right now?

Yes. CISA added it to the Known Exploited Vulnerabilities catalog on July 7, 2026, based on confirmed active exploitation, and Sysdig independently documented a real exploitation session on June 25, 2026.

Why is this the “first AI agent platform” on CISA’s KEV list?

CISA’s KEV catalog has listed thousands of CVEs across operating systems, network appliances, and enterprise software, but Langflow CVE-2026-55255 is the first entry specifically in a platform designed for building and running AI agents, rather than traditional IT infrastructure.

What version of Langflow fixes this?

Sources differ, citing both 1.9.1 and 1.9.2 as the version carrying the ownership-check fix from PR #12832. Update to the latest available release rather than relying on either specific version number.

Why do CVSS scores for this vulnerability vary so widely?

CISA’s KEV entry lists 6.1; KEVIntel and CIRCL list 9.9; another tracker lists 8.4. The disagreement centers on how much weight to give the flaw’s cross-tenant impact on managed/multi-tenant Langflow deployments, which CISA’s published score doesn’t appear to weight as heavily as the independent trackers do.

Does patching alone fix an already-exploited instance?

No. Because this vulnerability’s exploitation leaves minimal distinguishing log signal, any internet-exposed instance should have every stored credential rotated after patching, not just the software updated.

Is this related to the Langflow RCE from earlier in 2026?

Yes – CVE-2026-33017 is a separate, more severe Langflow remote code execution flaw added to KEV back in March 2026. Sysdig observed the same attacker chaining both vulnerabilities against the same target in one session.

What is BOD 26-04 and does it apply to my organization?

Binding Operational Directive 26-04 is CISA’s directive requiring U.S. federal civilian agencies to remediate KEV-listed vulnerabilities by directive-set deadlines. It replaced the older BOD 22-01 in June 2026 with variable deadlines based on severity and exploitation status. It’s not legally binding on private organizations, but a KEV listing signals confirmed real-world exploitation regardless of your regulatory obligations.

Should organizations outside the U.S. federal government care about this?

Yes. A KEV listing is CISA’s confirmation that exploitation is happening in the wild, not a US-government-specific concern any organization running Langflow, anywhere, faces the same attack path.

How does this connect to broader AI agent security trends in 2026?

It’s one concrete, KEV-confirmed data point inside a much larger pattern: prompt injection attempts up roughly 340% year-over-year, 88% of organizations running AI agents reporting at least one related security incident, and over-permissioned credentials behind the majority of those incidents.

Final Thoughts

Langflow CVE-2026-55255 is a textbook IDOR vulnerability sitting inside a platform category most vulnerability-management programs don’t yet track as a distinct asset class. The immediate action is straightforward patch, verify the fix, rotate credentials, restrict network exposure. The strategic takeaway is broader: AI agent and workflow platforms are now demonstrably part of the same exploited-in-production threat landscape as any other internet-facing enterprise software.

CISA’s KEV catalog confirming that with its first-ever AI agent platform listing is a marker worth treating seriously, not a one-off headline. Security teams that haven’t yet added AI agent infrastructure to their asset inventory and patch cadence should start now, before the next entry in this category arrives. credential exfiltration involving personal data is a reportable DPDP breach

Related posts:

  1. Esse Health Data Breach: What Really Happened in 2025
  2. Discord Data Breach 2025: 1.5 TB Data Leak Exposes Millions of ID Photos
  3. Data Breaches 2025: The 10 Biggest Incidents and Lessons Learned
  4. WIRED Data Breach Exposes 2.3 Million Subscriber Records | Full Incident Analysis
Share. Facebook Twitter Pinterest Threads Telegram Email LinkedIn WhatsApp Copy Link
Previous ArticleCybersecurity Weekly Report: July 6 – 12, 2026
V Diwahar
  • Website
  • LinkedIn

I'm Aspiring SOC Analyst and independent Cybersecurity researcher, founder of CyberInfos.in. I analyzes cyber threats, vulnerabilities, and attacks, providing practical security insights for organizations and cybersecurity professionals worldwide.

Related Posts

Data Breach Detection Time 2026: The Full Guide

March 28, 2026
Read More

FBI Wiretap Breach 2026: Surveillance Database Hacked

March 10, 2026
Read More

Cognizant TriZetto Breach Exposes Data of 3.4M Patients

March 8, 2026
Read More
Add A Comment
Leave A Reply Cancel Reply

Cyber Attacks & Exploits

5 New Prompt Injection Attacks Target AI Agents

July 9, 2026

Splunk Enterprise Vulnerabilities 2026: Critical CVE Guide

June 11, 2026

CVE-2026-32746: 32-Year-Old Telnetd Bug Enables RCE

March 20, 2026

Iran Cyber Attacks 2026: Hacktivist Surge Hits 110 Targets

March 5, 2026

Perplexity Comet Browser Vulnerability Exploited via Calendar Invite

March 4, 2026
Top 10 Security Tools

Top 10 Best SIEM Tools 2026: Enterprise Security Platforms Compared & Ranked

July 7, 2026

Top 10 Best Autonomous Endpoint Management Tools in 2026

November 14, 2025

Top 10 Best API Security Testing Tools in 2026

October 29, 2025

10 Best Free Malware Analysis Tools–2026

July 1, 2025

Top 10 Best Dynamic Malware Analysis Tools in 2026

March 6, 2025

Mobile Security

Mobile App Penetration Testing 2026: OWASP MASVS Testing Checklist

July 11, 2026

Android Security Update Fixes 129 Flaws, Zero-Day

March 3, 2026

PromptSpy Android Malware Marks First Use of Generative AI in Mobile Attacks

February 20, 2026

Securing Mobile Payments and Digital Wallets: Tips for Safe Transactions

December 19, 2025

How to Prevent SIM Swap Attacks and Protect Your Mobile Number in 2026

December 16, 2025
Cyber Insurance

A Step-by-Step Checklist to Prepare Your Business for Cyber Insurance (2026 Guide)

December 14, 2025

Is Your Business Really Protected? A Deep Dive Into Cyber Liability Coverage

December 6, 2025

What Cyber Insurance Doesn’t Cover & How to Fix the Gaps

December 1, 2025

Top Cyber Risks Today and How Cyber Insurance Protects You in 2026

November 28, 2025

What Every Business Owner Must Know Before Buying Cyber Insurance in 2026

November 26, 2025
Recents

Langflow CVE-2026-55255: Inside CISA’s First AI Agent Platform KEV Listing

July 17, 2026

Cybersecurity Weekly Report: July 6 – 12, 2026

July 13, 2026

Mobile App Penetration Testing 2026: OWASP MASVS Testing Checklist

July 11, 2026

5 New Prompt Injection Attacks Target AI Agents

July 9, 2026

Top 10 Best SIEM Tools 2026: Enterprise Security Platforms Compared & Ranked

July 7, 2026
Pages
  • About us
  • Contact us
  • Disclaimer
  • Privacy policy
  • Sitemaps
  • Terms and conditions
About us

CyberInfos delivers trusted cybersecurity news, expert threat analysis, and digital safety guidance for individuals and businesses worldwide.

LinkedIn
X (Twitter) LinkedIn WhatsApp
  • Contact us
  • Sitemap
Copyright © 2026 cyberinfos.in - All Rights Reserved

Type above and press Enter to search. Press Esc to cancel.