ctipilot.ch

Langflow unauthenticated RCE (build_public_tmp), CISA KEV, exploited in the Langflow IDOR chain

cve · CVE-2026-33017

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below

Story timeline

  1. 2026-07-08CVE-2026-55255 — Langflow cross-tenant IDOR now CISA KEV-listed, chained with the pre-auth RCE CVE-2026-33017
    trending-vulnerabilitiesLangflow IDOR (CVE-2026-55255) hits KEV; Sysdig shows one operator chaining it with the RCE CVE-2026-33017

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com1 (50%)
  • sysdig.com1 (50%)

Related entities

Entries about Langflow unauthenticated RCE (build_public_tmp), CISA KEV, exploited in the Langflow IDOR chain (1)

2026-07-08 · view entry permalink →

HIGHCVE-2026-55255 +1exploited

CVE-2026-55255 — Langflow cross-tenant IDOR now CISA KEV-listed, chained with the pre-auth RCE CVE-2026-33017

CVE-2026-55255 is an insecure-direct-object-reference flaw (CWE-639) in Langflow's OpenAI-Responses-compatible endpoint POST /api/v1/responses: the helper get_flow_by_id_or_endpoint_name (helpers/flow.py) resolves a flow by UUID with no user_id ownership check, so any authenticated caller who obtains another user's flow UUID can execute that user's flow — including whatever LLM-provider or cloud credentials are embedded in it (Sysdig, 2026-06-26). NVD scores it 8.4; the GitHub Security Advisory (GHSA-qrpv-q767-xqq2) and Sysdig rate the scope-changed vector at 9.9. Sysdig's Threat Research Team observed a single financially-motivated operator on 25 June 2026 run a scripted playbook against one exposed instance — enumerate flow UUIDs via GET /api/v1/flows/, then the IDOR with an input resembling a prompt-injection string — followed by repeated waves of the already-KEV-listed unauthenticated RCE CVE-2026-33017 (build_public_tmp) to plant a loader. CISA added CVE-2026-55255 to KEV on 7 July 2026 (BleepingComputer, 2026-07-08). Sysdig's load-bearing lesson is that the lower-scoring RCE dominated actual attacker effort because it needs no valid flow ID and is a strict superset of the IDOR on a single-tenant deployment; the IDOR matters distinctly only on multi-tenant/managed Langflow, where it crosses the tenant boundary at the application layer with no sandbox escape. Defender takeaway: Langflow is widely self-hosted for internal AI/RAG pipelines, including in EU public-sector data-science environments; hunt for the enumerate-then-invoke sequence (GET /api/v1/flows/ immediately followed by POST /api/v1/responses referencing a just-enumerated UUID) regardless of source IP, and treat any exposed pre-1.9.1 instance's embedded credentials as compromised.

On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 "critical" Langflow vulnerability, tracked as CVE-2026-55255.

When a flow is resolved by UUID, the lookup queries the database with no user_id ownership check, so any authenticated caller can execute any user's flow by passing its UUID.

Sysdig Threat Research Team 2026-06-26

Builds on: 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce

vulnerability08 Jul 20:35Zmulti-sourceOpen finding ↗