CISA’s Known Exploited Vulnerabilities catalog has flagged thousands of flaws across routers, servers, and enterprise software. Until July 7, 2026, it had never listed a single vulnerability inside an AI agent platform until Langflow CVE-2026-55255 changed that.
Security researchers had already caught attackers exploiting the flaw in the wild nearly two weeks before CISA’s confirmation landed. That gap should worry any SOC team, because most vulnerability-management programs still don’t track AI agent platform vulnerability categories the way they track servers and endpoints. Credentials, API keys, and cloud tokens sit inside these workflows in plain sight, and very few teams are watching for it.
Left unpatched, a single Langflow authorization bypass can hand an attacker every credential a workflow touches cloud access, LLM provider keys, and anything downstream of it. For organizations already stretched thin on AI governance, that’s a breach waiting to be discovered the hard way.
This report breaks down exactly how the flaw works and what Sysdig observed when Langflow exploited in the wild for real. It also covers the exact patch and credential-rotation steps SOC teams need to run this week.
Quick Answer
Langflow CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) vulnerability in Langflow, an open-source platform for building AI agents and workflows. On July 7, 2026, CISA added it to the Known Exploited Vulnerabilities (KEV) catalog – the first time an AI agent platform vulnerability has ever appeared on that list. Attackers with valid credentials can invoke another user’s AI workflow by guessing or harvesting its ID, exposing embedded API keys and credentials. Patch to the latest Langflow release and rotate every credential stored in any flow.
What Happened
On July 7, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: flaws in JoomShaper’s SP Page Builder, Joomlack’s Page Builder, and Langflow – an open-source tool used to build and deploy AI-powered agents and workflows.
The Langflow entry, tracked as CVE-2026-55255, marks the first time CISA has listed a Langflow vulnerability – or any AI agent platform vulnerability on the KEV catalog. Federal civilian agencies had until July 10, 2026 to remediate under Binding Operational Directive (BOD) 26-04. That deadline has already passed as of this writing.
Sit with that for a second. The KEV catalog exists to flag vulnerabilities CISA has confirmed are being exploited in real attacks, not theoretical risks. For years, “AI security” conversations in this industry mostly lived in the realm of prompt injection research and red-team demonstrations. Not anymore. This is CISA formally confirming that a CISA KEV AI agent platform entry now sits in the same exploited-in-production category as SharePoint, Cisco IOS, and enterprise VPN appliances.
How the Vulnerability Works
Langflow CVE-2026-55255 is an IDOR flaw, tracked under CWE-639 (Authorization Bypass Through User-Controlled Key). It lives in Langflow’s /api/v1/responses endpoint, which exposes each Langflow “flow” as a callable model OpenAI-Responses-API-compatible, with the flow’s UUID passed as the model parameter.
The root cause is simple to state and expensive to have missed: a missing ownership check. In the get_flow_by_id_or_endpoint_name helper function, when a flow is resolved by its UUID, Langflow queried the database without verifying that the requesting user actually owned that flow. Any authenticated user who obtained a valid flow ID could execute someone else’s flow – including any API keys, LLM provider credentials, or cloud access tokens embedded in it. That’s the Langflow authorization bypass at the heart of this story, in one sentence.
Two details matter for anyone triaging this:
- The flow UUID is 122 bits of randomness, so it can’t be brute-forced. Exploitation depends on an attacker first obtaining a valid ID typically by enumerating the
/api/v1/flows/list endpoint, which discloses flow IDs to any authenticated caller. - A separate resolution path, using an
endpoint_nameinstead of a UUID, does enforce ownership correctly. Only the UUID lookup path was vulnerable.
The fix adds an explicit ownership check: if a flow’s stored user_id doesn’t match the authenticated session’s user_id, the endpoint now returns a 404 instead of executing the flow. Langflow shipped this fix in pull request #12832. Sources disagree on the exact Langflow patch update that carries it in full some advisories cite 1.9.1, others cite 1.9.2. Rather than chase the discrepancy, the safest move is to update to the latest available Langflow release and confirm PR #12832 is included in whatever build you’re running.

Confirmed Exploitation in the Wild
Langflow exploited in the wild is no longer hypothetical. Cloud security firm Sysdig’s Threat Research Team documented the first known exploitation of this Langflow IDOR exploit on June 25, 2026 – nearly two weeks before CISA’s catalog addition. A single operator, tracked to IP address 45.207.216.55, returned to an internet-exposed Langflow instance they had first probed three days earlier and ran a methodical session: authentication reconnaissance, flow enumeration via /api/v1/flows/, the IDOR exploit itself, and then a sustained round against a separate Langflow remote code execution flaw, CVE-2026-33017.
Twenty seconds before firing the IDOR exploit, the operator pulled the flow list, harvested IDs, and replayed one as the model parameter on POST /api/v1/responses – with the input "leak api keys". That’s a prompt, not an exploit payload in the traditional sense. The attacker was using the hijacked flow’s own execution context to try to make it disclose the credentials embedded inside it.
CVE-2026-33017, the RCE running alongside it, is well-trodden ground by comparison. CISA added it to KEV back on March 25, 2026, and Sysdig previously reported roughly 7,000 exposed Langflow servers came under attack within about 20 hours of its disclosure used for AWS key theft, .env/database file harvesting, and deployment of malicious NATS worker processes.
Sysdig’s read on how the attacker split effort between the two bugs is genuinely instructive: the higher-scored IDOR got a quick, two-request treatment, while the lower-scored RCE got sustained attention, simply because it was easier to weaponize on that particular target. This is, according to Sysdig, the seventh distinct Langflow vulnerability to see active or recent exploitation over the past year.

Why CISA’s Scoring Doesn’t Match Everyone Else’s
Check multiple vulnerability trackers for this CVE and you’ll notice the CVSS scores don’t agree. That’s worth flagging rather than picking one number and moving on. CISA’s own KEV entry lists a base score of 6.1. Independent trackers KEVIntel and the CIRCL vulnerability database score the same flaw at 9.9. At least one third-party tracker lists 8.4.
That’s not a data-entry error – it’s a real disagreement about how much weight to give the vulnerability’s cross-tenant scope. On a single-tenant, self-hosted Langflow instance, an attacker armed with the IDOR can’t do much the already-KEV-listed RCE (CVE-2026-33017) couldn’t already do.
But on a managed or multi-tenant Langflow deployment, where the RCE is typically sandboxed per tenant, the IDOR becomes the only path that crosses from one customer’s environment into another’s credentials – and it does so without leaving a footprint distinguishable from normal flow execution in most logging setups. KEVIntel and CIRCL weighted that cross-tenant blast radius heavily. CISA’s published number didn’t.
The practical lesson: a KEV listing means confirmed active exploitation, full stop, regardless of which CVSS number is attached to it. If your Langflow deployment is multi-tenant or managed by a third party, treat this as more urgent than the CISA score alone would suggest.
CyberInfos Analyst Insight
Here’s the challenge with this one: the Langflow KEV listing matters less for the specific bug IDOR flaws are a known, well-understood class of vulnerability and more for what it confirms about where SOC teams’ asset inventories are already blind. Most vulnerability-management programs were built to track servers, endpoints, and web applications. Very few list “AI agent platforms” or “AI workflow orchestration tools” as a distinct, tracked asset category, even though these platforms now hold the exact class of secrets – API keys, cloud credentials, LLM provider tokens that a credential-stealing attacker actually wants.
A common mistake we’d flag here: teams patch the CVE and consider the incident closed. That’s not enough for this particular flaw. Because the exploitation path leaves minimal log signal, patching alone doesn’t answer the question “was I already compromised?” Credential rotation for anything stored in a flow not just the patch is the correct closing action, even on instances with no direct evidence of exploitation.

The Bigger Picture: AI Agent Security in 2026
This KEV listing lands in the middle of a broader, well-documented shift in how AI agents get attacked. Prompt injection remains the number one entry on the OWASP LLM Top 10 in 2026, and multiple independent reports place the year-over-year increase in documented injection attempts against enterprise AI systems at roughly 340%. Indirect attacks instructions hidden in a document, email, or web page rather than typed directly now account for more than half of incidents, and convert at a notably higher rate than direct attempts.
Separately, industry research on organizations running AI agents found that 88% reported at least one related security incident, with 61% traced back to over-permissioned credentials and roughly a third involving prompt injection specifically. The connective tissue across a lot of 2026’s AI-agent incidents, this one included, is the Model Context Protocol (MCP) and adjacent agent-orchestration infrastructure treated by a growing number of researchers as a supply-chain risk category in its own right, not just a prompt-handling problem.
At the same time, there’s a regulatory clock attached for any organization with EU-facing operations: the EU AI Act’s provisions for general-purpose AI models carry enforcement from August 2, 2026, with fines that can reach €35 million or 7% of global annual turnover for insufficient guardrails.
Real-World Examples
- The Sysdig-documented Langflow campaign (June 25, 2026): covered in detail above -a single operator chaining CVE-2026-55255 and CVE-2026-33017 against the same self-hosted Langflow instance in one session, with a credential-exfiltration prompt as the payload.
- CVE-2026-33017 mass exploitation (March 2026): roughly 7,000 internet-exposed Langflow servers came under attack within approximately 20 hours of that RCE’s disclosure – a reminder of how fast exploitation follows disclosure once a Langflow flaw goes public.
- Prompt-injection-driven crypto payment fraud (reported July 2026): researchers documented threat actors embedding indirect prompt injections in malicious websites and manipulated search results, specifically to trick autonomous AI agents into making cryptocurrency payments or trusting fraudulent platforms. Different attack surface — browsing agents rather than a hosted flow platform – but the same underlying theme: agent infrastructure targeted for credential and financial theft.

Actionable Checklist
- Inventory every Langflow instance in your environment – self-hosted, managed, and shadow deployments spun up by individual teams
- Update Langflow to the latest available release and confirm PR #12832 (the ownership-check fix) is included
- Rotate every API key, LLM provider credential, and cloud access credential stored in any Langflow flow – treat this as mandatory, not precautionary, on any internet-exposed instance
- Audit
/api/v1/responsesaccess logs for cross-user flow ID access patterns - Never expose Langflow’s code-execution or flow-validation endpoints directly to the public internet
- Move credentials out of flow environments/environment variables and into a dedicated secrets manager
- Restrict network access to the Langflow API to trusted, authenticated networks only
- If your deployment is multi-tenant or managed, treat this as higher priority than the CISA CVSS score alone suggests
- Add “AI agent / AI workflow platforms” as a tracked asset category in your vulnerability management program going forward
FAQ
What is CVE-2026-55255?
It’s an Insecure Direct Object Reference (IDOR) vulnerability in Langflow, an open-source AI agent and workflow platform. It allows an authenticated attacker to execute another user’s flow and access any credentials embedded in it — by supplying that flow’s ID.
Is Langflow actually being exploited right now?
Yes. CISA added it to the Known Exploited Vulnerabilities catalog on July 7, 2026, based on confirmed active exploitation, and Sysdig independently documented a real exploitation session on June 25, 2026.
Why is this the “first AI agent platform” on CISA’s KEV list?
CISA’s KEV catalog has listed thousands of CVEs across operating systems, network appliances, and enterprise software, but Langflow CVE-2026-55255 is the first entry specifically in a platform designed for building and running AI agents, rather than traditional IT infrastructure.
What version of Langflow fixes this?
Sources differ, citing both 1.9.1 and 1.9.2 as the version carrying the ownership-check fix from PR #12832. Update to the latest available release rather than relying on either specific version number.
Why do CVSS scores for this vulnerability vary so widely?
CISA’s KEV entry lists 6.1; KEVIntel and CIRCL list 9.9; another tracker lists 8.4. The disagreement centers on how much weight to give the flaw’s cross-tenant impact on managed/multi-tenant Langflow deployments, which CISA’s published score doesn’t appear to weight as heavily as the independent trackers do.
Does patching alone fix an already-exploited instance?
No. Because this vulnerability’s exploitation leaves minimal distinguishing log signal, any internet-exposed instance should have every stored credential rotated after patching, not just the software updated.
Is this related to the Langflow RCE from earlier in 2026?
Yes – CVE-2026-33017 is a separate, more severe Langflow remote code execution flaw added to KEV back in March 2026. Sysdig observed the same attacker chaining both vulnerabilities against the same target in one session.
What is BOD 26-04 and does it apply to my organization?
Binding Operational Directive 26-04 is CISA’s directive requiring U.S. federal civilian agencies to remediate KEV-listed vulnerabilities by directive-set deadlines. It replaced the older BOD 22-01 in June 2026 with variable deadlines based on severity and exploitation status. It’s not legally binding on private organizations, but a KEV listing signals confirmed real-world exploitation regardless of your regulatory obligations.
Should organizations outside the U.S. federal government care about this?
Yes. A KEV listing is CISA’s confirmation that exploitation is happening in the wild, not a US-government-specific concern any organization running Langflow, anywhere, faces the same attack path.
How does this connect to broader AI agent security trends in 2026?
It’s one concrete, KEV-confirmed data point inside a much larger pattern: prompt injection attempts up roughly 340% year-over-year, 88% of organizations running AI agents reporting at least one related security incident, and over-permissioned credentials behind the majority of those incidents.
Final Thoughts
Langflow CVE-2026-55255 is a textbook IDOR vulnerability sitting inside a platform category most vulnerability-management programs don’t yet track as a distinct asset class. The immediate action is straightforward patch, verify the fix, rotate credentials, restrict network exposure. The strategic takeaway is broader: AI agent and workflow platforms are now demonstrably part of the same exploited-in-production threat landscape as any other internet-facing enterprise software.
CISA’s KEV catalog confirming that with its first-ever AI agent platform listing is a marker worth treating seriously, not a one-off headline. Security teams that haven’t yet added AI agent infrastructure to their asset inventory and patch cadence should start now, before the next entry in this category arrives. credential exfiltration involving personal data is a reportable DPDP breach
