ctipilot.ch
← Back to the live brief
HIGHCVE-2026-55255 +1exploitedvulnerability

CVE-2026-55255 — Langflow cross-tenant IDOR now CISA KEV-listed, chained with the pre-auth RCE CVE-2026-33017

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel2 sourcesmulti-source

CVE-2026-55255 is an insecure-direct-object-reference flaw (CWE-639) in Langflow's OpenAI-Responses-compatible endpoint POST /api/v1/responses: the helper get_flow_by_id_or_endpoint_name (helpers/flow.py) resolves a flow by UUID with no user_id ownership check, so any authenticated caller who obtains another user's flow UUID can execute that user's flow — including whatever LLM-provider or cloud credentials are embedded in it (Sysdig, 2026-06-26). NVD scores it 8.4; the GitHub Security Advisory (GHSA-qrpv-q767-xqq2) and Sysdig rate the scope-changed vector at 9.9. Sysdig's Threat Research Team observed a single financially-motivated operator on 25 June 2026 run a scripted playbook against one exposed instance — enumerate flow UUIDs via GET /api/v1/flows/, then the IDOR with an input resembling a prompt-injection string — followed by repeated waves of the already-KEV-listed unauthenticated RCE CVE-2026-33017 (build_public_tmp) to plant a loader. CISA added CVE-2026-55255 to KEV on 7 July 2026 (BleepingComputer, 2026-07-08). Sysdig's load-bearing lesson is that the lower-scoring RCE dominated actual attacker effort because it needs no valid flow ID and is a strict superset of the IDOR on a single-tenant deployment; the IDOR matters distinctly only on multi-tenant/managed Langflow, where it crosses the tenant boundary at the application layer with no sandbox escape. Defender takeaway: Langflow is widely self-hosted for internal AI/RAG pipelines, including in EU public-sector data-science environments; hunt for the enumerate-then-invoke sequence (GET /api/v1/flows/ immediately followed by POST /api/v1/responses referencing a just-enumerated UUID) regardless of source IP, and treat any exposed pre-1.9.1 instance's embedded credentials as compromised.

On June 25, 2026, the Sysdig Threat Research Team (TRT) observed the first known active exploitation of a CVSS 9.9 "critical" Langflow vulnerability, tracked as CVE-2026-55255.

When a flow is resolved by UUID, the lookup queries the database with no user_id ownership check, so any authenticated caller can execute any user's flow by passing its UUID.

Sysdig Threat Research Team 2026-06-26

Defender actions

  • Upgrade every self-hosted Langflow to ≥ 1.9.1 now; rotate any LLM-provider or cloud credentials embedded in flows on instances that were internet-exposed.
  • On multi-tenant/managed Langflow, additionally authorize or restrict the /api/v1/flows/ listing endpoint — the IDOR is inert without the UUID enumeration it provides.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.