CVE-2026-55255 — Langflow Authorization Bypass Through User-Controlled Key Vulnerability

CVE-2026-55255

Langflow — Flow-ID Ownership Check Bypass in /responses Endpoint Used to Exfiltrate API Keys

What is Langflow?

Langflow is an open-source, low-code visual builder for constructing LLM-powered applications and agent workflows — letting developers wire together prompts, models, tools, and API integrations as a drag-and-drop "flow" graph and expose the result as an API endpoint. Because flows frequently embed API keys and credentials for the language models and third-party services they call, unauthorized access to another user's flow can directly expose sensitive secrets, not just workflow logic.

Overview

Langflow contains an authorization bypass vulnerability caused by inconsistent ownership checks across two ways of looking up a flow. The function get_flow_by_id_or_endpoint_name (in src/backend/base/langflow/helpers/flow.py) supports looking a flow up either by its UUID or by its human-readable endpoint name. The endpoint-name lookup path correctly verifies the requesting user owns the flow, but the UUID lookup path does not. This inconsistency is reachable via the /api/v1/responses endpoint (src/backend/base/langflow/api/v1/openai_responses.py): an authenticated attacker who supplies another user's flow UUID can execute that victim's flow, including any embedded credentials or connected integrations, without needing to own or otherwise have been granted access to it.

Affected Versions

Product Vulnerable Versions Fixed Versions
Langflow < 1.9.1 1.9.1 (upgrade to 1.9.2 recommended by some trackers)

Technical Details

  • Root cause: Authorization decision based on a user-controlled key (the flow UUID) without a corresponding ownership check, while a parallel lookup path enforces that check correctly (CWE-639: Authorization Bypass Through User-Controlled Key).
  • Attack vector: Network, requiring low privileges (any authenticated account) and no user interaction, with a scope change (S:C) reflecting that the flaw exposes resources beyond the vulnerable component. CVSS 3.1 base score reported as 8.4–9.9 (Critical) depending on source.
  • Attack characteristics: An attacker first enumerates flow UUIDs — for example via the /api/v1/flows/ listing endpoint — then replays a discovered UUID against /api/v1/responses to execute the victim's flow. No privilege escalation or additional chaining is required once a valid flow ID is known.
  • Impact: Execution of another user's flow, including any embedded API keys or credentials, and potential injection of attacker-controlled logic (e.g., malicious prompts) into that flow's execution context.

Discovery

Credited in Langflow's GitHub Security Advisory to reporters yzeirnials, johnatzeropath, LeftenantZero, and Zwique.

Exploitation Context

Sysdig's Threat Research Team observed the first known active exploitation on June 25, 2026 — nearly two months after the fix had already shipped — in which an operator enumerated /api/v1/flows/ to harvest flow IDs, then replayed disclosed IDs against /responses, injecting a prompt designed to leak API keys embedded in hijacked flows. CISA added the CVE to KEV on July 7, 2026, about two weeks after Sysdig's observation. Some secondary sources list a broad range of named threat actors (including FIN7, LockBit, APT38, APT29, and Scattered Spider) as "assessed targeting" this vulnerability, but this attribution appears to be generic boilerplate rather than confirmed reporting — Sysdig's incident writeup is the only concretely sourced exploitation account found. No exposure/Shodan counts have been published.

Remediation

  1. Upgrade Langflow to 1.9.1 or later (1.9.2 recommended) immediately if not already patched — this fix has been available since April 2026.
  2. Audit access logs for enumeration of /api/v1/flows/ followed by requests to /api/v1/responses referencing flow IDs not owned by the requesting account.
  3. Rotate any API keys or credentials embedded in Langflow flows if the instance was running an unpatched version and internet-exposed, given confirmed exploitation targeting credential exfiltration.
  4. Review flow execution history for unexpected prompts or outputs that may indicate a hijacked flow was used to exfiltrate secrets.
  5. Restrict Langflow instance access to trusted networks or authenticated users only, and avoid embedding long-lived, high-privilege credentials directly in flows where possible.

Key Details

PropertyValue
CVE ID CVE-2026-55255
Vendor / Product Langflow — Langflow
NVD Published2026-06-23
NVD Last Modified2026-07-08
CVSS 3.1 Score8.4
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
SeverityHIGH
CWE CWE-639 find similar ↗
CISA KEV Added2026-07-07
CISA KEV Deadline2026-07-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Required Action

CISA BOD 22-01 Deadline: 2026-07-10. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-04-22Fix merged upstream via PR #12832; Langflow 1.9.1 released
2026-06-25Sysdig Threat Research Team observes first known active exploitation
2026-07-07Added to CISA Known Exploited Vulnerabilities catalog
2026-07-10CISA BOD 22-01 remediation deadline