• Category: Security
  • Status: confirmed
  • Sources: GitHub advisory GHSA-qrpv-q767-xqq2, NVD
  • Summary: CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on 2026-07-07 on evidence of active exploitation, with a federal remediation deadline of 2026-07-10. The flaw is an insecure direct object reference in the /api/v1/responses endpoint of Langflow, the open-source visual agent and RAG builder: an authenticated low-privilege user can execute a flow belonging to another user by supplying the victim's flow ID. The project advisory (published 2026-06-19) lists the fix in 1.9.1 and versions below 1.9.1 as vulnerable, while NVD records the fixed version as 1.9.2. CVSS is 9.9 with a changed scope.
  • Why it matters: Langflow is a recurring high-severity target and is often exposed as a shared internal or hosted agent-building service, so a cross-tenant flow-execution bug under active exploitation is a direct route to running attacker-chosen flows against other users' data.
  • Follow-up: Watch for confirmation of the exact fixed version, exploitation details, and internet-exposure scans of unpatched instances.

Send feedback on this story