Overview
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-55255, a critical authorization bypass vulnerability in the Langflow AI agent framework, to its Known Exploited Vulnerabilities (KEV) Catalog on July 7, 2026. Federal Civilian Executive Branch (FCEB) agencies were ordered to secure all affected Langflow deployments by Friday, July 11 — a deadline enforced under the new Binding Operational Directive BOD 26-04, which mandates patching timelines as short as 3 days for the highest-risk actively exploited vulnerabilities.
The move is the latest in a string of Langflow flaws to land on CISA's KEV list, reflecting the platform's growing use in federal and enterprise AI workflows — and its growing attractiveness as a target.
What Is Langflow?
Langflow is an open-source, low-code platform for building and deploying AI agent workflows. It provides a drag-and-drop interface to connect nodes — LLMs, tools, data sources, APIs — into executable pipelines, plus a REST API to run them programmatically. Its ease of use has made it widely adopted for AI application development, agentic AI research, and enterprise automation.
That same accessibility is what makes it a prime target: a compromised Langflow instance can expose API keys, LLM provider credentials, and sensitive data flowing through AI pipelines.
The Vulnerability: CVE-2026-55255
| Field | Detail |
|---|---|
| CVE ID | CVE-2026-55255 |
| CVSS Score | 9.9 (Critical) |
| Type | Insecure Direct Object Reference (IDOR) / Authorization Bypass |
| CWE | CWE-639: Authorization Bypass Through User-Controlled Key |
| Affected Versions | Langflow prior to 1.9.2 |
| Patched Version | 1.9.2+ |
| Auth Required | Yes (authenticated attacker) |
The vulnerability resides in the /api/v1/responses endpoint. An authenticated attacker can execute any flow belonging to another user by supplying the victim's flow UUID (flow_id) in a maliciously crafted request. This cross-tenant access enables:
- Executing victim flows — running AI pipelines you don't own, including sensitive production workflows
- Accessing sensitive data — any data processed by the victim's flows, including PII and business intelligence
- Stealing API keys — LLM provider keys and AWS keys embedded in flows
- Resource consumption — burning the victim's compute quotas and API rate limits
Sysdig's Threat Research Team described CVE-2026-55255 as a cross-tenant IDOR and confirmed real-world exploitation focused on stealing LLM provider API keys and AWS credentials.
Active Exploitation
Sysdig's TRT first observed CVE-2026-55255 being exploited in the wild on June 25, 2026, noting the objective was "code execution and second-stage implant delivery." The attacker combined this vulnerability with CVE-2026-33017 — an unauthenticated RCE in Langflow — in a sustained campaign running from June 22–25.
The exploitation chain:
- CVE-2026-33017 for initial unauthenticated remote code execution
- CVE-2026-55255 for cross-tenant data exfiltration (API keys, AWS credentials)
- Second-stage downloader for persistent malware delivery
CISA's researchers noted the threat actor is "opportunistic and financially motivated."
The Ransomware Connection
CISA flagged a related Langflow vulnerability as exploited by ransomware gangs. Cloud security firm Sysdig documented the JadePuffer ransomware operation using a Langflow flaw to dump the platform's PostgreSQL database. More alarmingly, Sysdig also documented what it described as the first known case of agentic ransomware — where a human operator deployed an AI agent and provisioned infrastructure, then let the agent autonomously handle the entire extortion operation end-to-end by exploiting the earlier CVE-2025-3248 Langflow flaw.
BOD 26-04: The New Patching Framework
CISA issued Binding Operational Directive 26-04 on June 10, 2026, titled "Prioritizing Security Updates Based on Risk." It supersedes both BOD 19-02 and BOD 22-01, consolidating federal vulnerability remediation under a single unified risk-based framework.
Under BOD 26-04, the strictest remediation requirement — 3 days plus mandatory forensic triage — applies to vulnerabilities meeting all of these criteria:
- Publicly exposed (internet-accessible)
- Listed in the KEV catalog
- Automatable by adversaries
- Grant total control of the affected system
In 2026, the average CISA KEV patching deadline has dropped to 14.4 days, down from 19.7 days in 2025 and over 20 days in 2024. CISA has directly attributed this acceleration to the growing use of AI by threat actors, which is narrowing the window between patch release and active exploitation.
Langflow's Growing Vulnerability History
CVE-2026-55255 is the latest in a long string of Langflow flaws to be exploited in the wild:
| CVE | Type | CVSS | Patched In |
|---|---|---|---|
| CVE-2025-3248 | Missing Auth / RCE | 9.8 | 1.2.0 |
| CVE-2026-0770 | Auth Bypass | — | — |
| CVE-2026-21445 | Missing Auth (Monitor API) | Critical | 1.7.0.dev45 |
| CVE-2026-33017 | Unauthenticated RCE | 9.3 | 1.9.0 |
| CVE-2026-55255 | IDOR / Auth Bypass | 9.9 | 1.9.2 |
| CVE-2026-7663 | MCP Auth Bypass | 9.1 | 1.10.0 |
The pattern is clear: Langflow's rapid development pace and complex API surface have repeatedly produced authentication and authorization gaps. Organizations deploying Langflow — especially those connecting it to sensitive data sources or cloud credentials — should treat it as a high-risk component requiring regular patching attention.
What Federal Agencies Must Do
Under BOD 26-04, FCEB agencies must:
- Patch to Langflow 1.9.2 or later by July 11, 2026
- If patching is not possible, remove Langflow from internet-accessible environments
- Rotate all API keys and tokens embedded in Langflow flows
- Report patching status through the CDM Federal Dashboard
- Create a POA&M (Plan of Action and Milestones) if the deadline cannot be met
What Non-Federal Organizations Should Do
Even if you're not a federal agency, the active exploitation of CVE-2026-55255 demands urgent action:
- Upgrade Langflow to version 1.9.2 or later immediately
- Audit all flows for embedded API keys, cloud credentials, or sensitive data connections
- Restrict Langflow to internal networks — do not expose it directly to the internet
- Enable authentication on all Langflow endpoints and review access controls
- Review logs for unauthorized
/api/v1/responsescalls or anomalous flow executions
References
- BleepingComputer: CISA orders feds to prioritize patching Langflow auth bypass flaw
- CISA: Known Exploited Vulnerabilities Catalog
- CISA: Adds Three Known Exploited Vulnerabilities to Catalog
- Sysdig: Understanding Langflow CVE-2026-55255
- The Hacker News: CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV