Security
Langflow flow-access IDOR CVE-2026-55255 added to CISA KEV
- Category: Security
- Status: confirmed
- Sources: GitHub advisory GHSA-qrpv-q767-xqq2, NVD
- Summary: CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on 2026-07-07 on evidence of active exploitation, with a federal remediation deadline of 2026-07-10. The flaw is an insecure direct object reference in the
/api/v1/responsesendpoint of Langflow, the open-source visual agent and RAG builder: an authenticated low-privilege user can execute a flow belonging to another user by supplying the victim's flow ID. The project advisory (published 2026-06-19) lists the fix in 1.9.1 and versions below 1.9.1 as vulnerable, while NVD records the fixed version as 1.9.2. CVSS is 9.9 with a changed scope. - Why it matters: Langflow is a recurring high-severity target and is often exposed as a shared internal or hosted agent-building service, so a cross-tenant flow-execution bug under active exploitation is a direct route to running attacker-chosen flows against other users' data.
- Follow-up: Watch for confirmation of the exact fixed version, exploitation details, and internet-exposure scans of unpatched instances.