CVE-2026-55255

Published Jun 23, 2026

Last updated 4 hours ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) vulnerability found in Langflow, an open-source tool designed for building and deploying AI-powered agents and workflows. This flaw affects all versions of Langflow prior to 1.9.2. The vulnerability resides in the `/api/v1/responses` endpoint. It allows an authenticated attacker to execute any flow belonging to another user by providing the victim's flow identifier in the request. This is due to a missing ownership check, where the system fails to verify that the requesting user is authorized to invoke the specified flow. The issue is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.
Source
security-advisories@github.com
NVD status
Undergoing Analysis
Products
langflow

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.9
Impact score
6
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
Exploit added on
Jul 7, 2026
Exploit action due
Jul 10, 2026
Required action
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Weaknesses

security-advisories@github.com
CWE-639

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

8

  1. 米国CISA¹の既知の悪用された脆弱性カタログに3件と1件の追加。JoomShaper SP Page BuilderのCVE-2026-48908、LangflowのCVE-2026-55255、Joomlack Page BuilderのCVE-2026-56290とColdfusionのCVE-2026-48282。対処期限は3日。ランサム悪用不知。

    @__kokumoto

    7 Jul 2026

    223 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Bernoulli denklemi vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/7S6bozvJuc & apply mitigations to protect your org from c

    @FarukCakicil65

    7 Jul 2026

    8 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🛡️ We added JoomShaper SP Page Builder vulnerability CVE-2026-48908, Langflow vulnerability CVE-2026-55255, & Joomlack Page Builder vulnerability CVE-2026-56290 to our KEV Catalog. Visit https://t.co/myxOwap1Tf & apply mitigations to protect your org from cyberattack

    @CISACyber

    7 Jul 2026

    4119 Impressions

    2 Retweets

    7 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. First wild exploitation of Langflow CVE-2026-55255 (CVSS 9.9 IDOR) observed June 25, 2026, alongside the already-KEV-listed CVE-2026-33017 (CVSS 9.3 RCE), exposing why higher scores do not equal higher exploitation rates. Key findings: - A single operator at 45.207.216[.]55 ran

    @DFIR_Radar

    27 Jun 2026

    231 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    2 Replies

    0 Quotes

  5. Langflowで重大(Critical)な脆弱性3件が修正。CVE-2026-55255はCVSSスコア9.9で、/api/v1/responsesエンドポイントで他利用者のフローにアクセス可能なIDOR。任意ファイル読み込み/遠隔コード実行のCVE-2026-55447は9.6、無認証フ

    @__kokumoto

    26 Jun 2026

    622 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. Three critical Langflow security vulnerabilities (CVE-2026-55255, CVE-2026-55447, CVE-2026-55450) expose AI applications to RCE and DoS attacks. Patch now. #Langflow #Vulnerability #CyberSecurity #CVE #AppSec https://t.co/QI2DMArJyg https://t.co/9eNzB5fdOy

    @Daily_CyberSec

    26 Jun 2026

    383 Impressions

    0 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. ARETIQ Daily Vulnerability Bulletin — June 19, 2026 🔴 CRITICAL: CVE-2026-55255 (langflow-ai/langflow) AAS 13.1 🔴 CRITICAL: CVE-2026-48772 (sysown/proxysql) AAS 12.8 🔴 CRITICAL: CVE-2026-48773 (sysown/proxysql) AAS 12.4 15 vulnerabilities — CRITICAL: 3, HIGH: 12 Fu

    @AretiqAI

    19 Jun 2026

    69 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  8. ARETIQ Daily Vulnerability Bulletin — June 19, 2026 🔴 CRITICAL: CVE-2026-55255 (pip/langflow) AAS 13.1 🔴 CRITICAL: CVE-2026-48772 (sysown/proxysql) AAS 12.8 🔴 CRITICAL: CVE-2026-48773 (sysown/proxysql) AAS 12.4 15 vulnerabilities — CRITICAL: 3, HIGH: 12 Full bulle

    @AretiqAI

    19 Jun 2026

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations