What is Langflow?
Langflow is an open-source, low-code visual builder for constructing LLM-powered applications and agent workflows — letting developers wire together prompts, models, tools, and API integrations as a drag-and-drop "flow" graph and expose the result as an API endpoint. Because flows frequently embed API keys and credentials for the language models and third-party services they call, unauthorized access to another user's flow can directly expose sensitive secrets, not just workflow logic.
Overview
Langflow contains an authorization bypass vulnerability caused by inconsistent ownership checks across two ways of looking up a flow. The function get_flow_by_id_or_endpoint_name (in src/backend/base/langflow/helpers/flow.py) supports looking a flow up either by its UUID or by its human-readable endpoint name. The endpoint-name lookup path correctly verifies the requesting user owns the flow, but the UUID lookup path does not. This inconsistency is reachable via the /api/v1/responses endpoint (src/backend/base/langflow/api/v1/openai_responses.py): an authenticated attacker who supplies another user's flow UUID can execute that victim's flow, including any embedded credentials or connected integrations, without needing to own or otherwise have been granted access to it.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| Langflow | < 1.9.1 | 1.9.1 (upgrade to 1.9.2 recommended by some trackers) |
Technical Details
- Root cause: Authorization decision based on a user-controlled key (the flow UUID) without a corresponding ownership check, while a parallel lookup path enforces that check correctly (CWE-639: Authorization Bypass Through User-Controlled Key).
- Attack vector: Network, requiring low privileges (any authenticated account) and no user interaction, with a scope change (
S:C) reflecting that the flaw exposes resources beyond the vulnerable component. CVSS 3.1 base score reported as 8.4–9.9 (Critical) depending on source. - Attack characteristics: An attacker first enumerates flow UUIDs — for example via the
/api/v1/flows/listing endpoint — then replays a discovered UUID against/api/v1/responsesto execute the victim's flow. No privilege escalation or additional chaining is required once a valid flow ID is known. - Impact: Execution of another user's flow, including any embedded API keys or credentials, and potential injection of attacker-controlled logic (e.g., malicious prompts) into that flow's execution context.
Discovery
Credited in Langflow's GitHub Security Advisory to reporters yzeirnials, johnatzeropath, LeftenantZero, and Zwique.
Exploitation Context
Sysdig's Threat Research Team observed the first known active exploitation on June 25, 2026 — nearly two months after the fix had already shipped — in which an operator enumerated /api/v1/flows/ to harvest flow IDs, then replayed disclosed IDs against /responses, injecting a prompt designed to leak API keys embedded in hijacked flows. CISA added the CVE to KEV on July 7, 2026, about two weeks after Sysdig's observation. Some secondary sources list a broad range of named threat actors (including FIN7, LockBit, APT38, APT29, and Scattered Spider) as "assessed targeting" this vulnerability, but this attribution appears to be generic boilerplate rather than confirmed reporting — Sysdig's incident writeup is the only concretely sourced exploitation account found. No exposure/Shodan counts have been published.
Remediation
- Upgrade Langflow to 1.9.1 or later (1.9.2 recommended) immediately if not already patched — this fix has been available since April 2026.
- Audit access logs for enumeration of
/api/v1/flows/followed by requests to/api/v1/responsesreferencing flow IDs not owned by the requesting account. - Rotate any API keys or credentials embedded in Langflow flows if the instance was running an unpatched version and internet-exposed, given confirmed exploitation targeting credential exfiltration.
- Review flow execution history for unexpected prompts or outputs that may indicate a hijacked flow was used to exfiltrate secrets.
- Restrict Langflow instance access to trusted networks or authenticated users only, and avoid embedding long-lived, high-privilege credentials directly in flows where possible.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-55255 |
| Vendor / Product | Langflow — Langflow |
| NVD Published | 2026-06-23 |
| NVD Last Modified | 2026-07-08 |
| CVSS 3.1 Score | 8.4 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L |
| Severity | HIGH |
| CWE | CWE-639 find similar ↗ |
| CISA KEV Added | 2026-07-07 |
| CISA KEV Deadline | 2026-07-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-04-22 | Fix merged upstream via PR #12832; Langflow 1.9.1 released |
| 2026-06-25 | Sysdig Threat Research Team observes first known active exploitation |
| 2026-07-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-55255 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Langflow GitHub Security Advisory GHSA-qrpv-q767-xqq2 | Vendor Advisory |
| Sysdig — Understanding Langflow CVE-2026-55255 | Security Research |
| Help Net Security — Langflow vulnerability CVE-2026-55255 exploited | News |
| Snyk — Langflow authorization bypass advisory | Vulnerability Database |