2026-07-08 · view entry permalink →
CVE-2026-55255 — Langflow cross-tenant IDOR now CISA KEV-listed, chained with the pre-auth RCE CVE-2026-33017
CVE-2026-55255 is an insecure-direct-object-reference flaw (CWE-639) in Langflow's OpenAI-Responses-compatible endpoint POST /api/v1/responses: the helper get_flow_by_id_or_endpoint_name (helpers/flow.py) resolves a flow by UUID with no user_id ownership check, so any authenticated caller who obtains another user's flow UUID can execute that user's flow — including whatever LLM-provider or cloud credentials are embedded in it (Sysdig, 2026-06-26). NVD scores it 8.4; the GitHub Security Advisory (GHSA-qrpv-q767-xqq2) and Sysdig rate the scope-changed vector at 9.9. Sysdig's Threat Research Team observed a single financially-motivated operator on 25 June 2026 run a scripted playbook against one exposed instance — enumerate flow UUIDs via GET /api/v1/flows/, then the IDOR with an input resembling a prompt-injection string — followed by repeated waves of the already-KEV-listed unauthenticated RCE CVE-2026-33017 (build_public_tmp) to plant a loader. CISA added CVE-2026-55255 to KEV on 7 July 2026 (BleepingComputer, 2026-07-08). Sysdig's load-bearing lesson is that the lower-scoring RCE dominated actual attacker effort because it needs no valid flow ID and is a strict superset of the IDOR on a single-tenant deployment; the IDOR matters distinctly only on multi-tenant/managed Langflow, where it crosses the tenant boundary at the application layer with no sandbox escape. Defender takeaway: Langflow is widely self-hosted for internal AI/RAG pipelines, including in EU public-sector data-science environments; hunt for the enumerate-then-invoke sequence (GET /api/v1/flows/ immediately followed by POST /api/v1/responses referencing a just-enumerated UUID) regardless of source IP, and treat any exposed pre-1.9.1 instance's embedded credentials as compromised.
On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 "critical" Langflow vulnerability, tracked as CVE-2026-55255.
When a flow is resolved by UUID, the lookup queries the database with no user_id ownership check, so any authenticated caller can execute any user's flow by passing its UUID.
Builds on: 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce