## Overview
CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities (KEV) list on July 7, 2026. This vulnerability impacts Langflow, a tool used for building AI-powered agents and workflows. The flaw allows authenticated attackers to bypass authorization and execute flows belonging to other users.
## Technical Details
The vulnerability is classified as an Insecure Direct Object Reference (IDOR) in the /api/v1/responses endpoint. An attacker can exploit this by supplying a victim's flow ID in their request. This allows them to access and execute flows that they should not have permission to control. The issue was present in versions prior to 1.9.1 and has been addressed in the latest release.
## Impact
With a CVSS score of 8.4, CVE-2026-55255 poses a significant risk to organizations using Langflow. Successful exploitation can lead to unauthorized access to sensitive workflows, potentially compromising data integrity and user privacy. The addition to the KEV list indicates that there is credible evidence of exploitation in the wild, heightening the urgency for organizations to act.
## Mitigation
Organizations using Langflow should upgrade to version 1.9.1 or later immediately to close this vulnerability. Regularly review and monitor access controls for all API endpoints to prevent unauthorized access. Additionally, implement logging and alerting mechanisms to detect any suspicious activity related to flow executions.
CSURFACE Threat Sensor