Langflow CVE-2026-55255 Hits CISA KEV: Patch AI Workflows

CISA added Langflow CVE-2026-55255 to KEV after active exploitation. Patch self-hosted AI workflow servers to 1.9.1 and check for credential-theft signs.

Langflow CVE-2026-55255 is now in CISA’s Known Exploited Vulnerabilities catalog after real-world exploitation against AI workflow servers. The bug affects the open-source Langflow package before version 1.9.1 and lets an authenticated user invoke another user’s flow through the OpenAI-compatible /api/v1/responses endpoint by supplying a victim flow ID.[1][2]

This is not just an abstract multi-tenant authorization issue. Sysdig’s Threat Research Team says it observed the first known active exploitation on June 25, 2026, with an operator enumerating flows and then using the vulnerable responses endpoint with an input aimed at leaking API keys.[3] CISA added the flaw on July 7 with a July 10 remediation deadline for covered federal systems, which makes this a short-window patch item for exposed Langflow deployments.[1]

The practical risk depends heavily on how Langflow is deployed. A single-user lab instance is still worth patching, but the highest concern is a shared, managed, or team-hosted Langflow service where flows may hold LLM provider keys, cloud credentials, database secrets, or RAG pipeline access. In that setting, a cross-user flow execution bug can turn one low-privilege account into a quiet path toward another user’s workflow and embedded secrets.

Langflow has already been a recurring target this year. HowToFix.guide previously covered exposed Langflow servers in the JADEPUFFER AI ransomware campaign and an earlier exploited Langflow server flaw. This new KEV entry is narrower than a blanket unauthenticated RCE, but it matters because AI workflow tools often concentrate credentials that attackers can resell or reuse quickly.

What Langflow admins should check now

First, upgrade Langflow to 1.9.1 or later. GitHub lists versions below 1.9.1 as affected and 1.9.1 as the first patched version, while NVD’s current description also says the issue is fixed in 1.9.1.[2][4] If your environment uses container images or pinned Python dependencies, confirm the running service version rather than assuming the package lockfile matches production.

Second, treat internet exposure as a risk multiplier. Restrict access to Langflow behind a VPN, SSO-aware reverse proxy, or internal network boundary, and make sure default/no-auth modes are not reachable from the public internet. If you operate a multi-user Langflow instance, review whether users can list flows, discover flow IDs, or call the responses endpoint across tenant or workspace boundaries.

Third, look for signs that attackers were exploring both the IDOR and older Langflow RCE paths. Useful triage points include repeated requests to /api/v1/flows/, suspicious POST /api/v1/responses calls with unfamiliar model/flow IDs, probing around /api/v1/auto_login, and outbound attempts from the Langflow host to unknown infrastructure. Sysdig published one observed source/C2 IP, 45.207.216.55, along with a JA4 fingerprint and loader path details; use those as leads, not as the full detection set.[3]

Finally, rotate secrets that were stored in or reachable from Langflow flows if you find suspicious access. That includes OpenAI, Anthropic, cloud, database, Git, webhook, and vector-store credentials. For teams building self-hosted AI tooling, the broader lesson matches other recent AI-agent incidents such as the LangGraph checkpointer RCE chain: workflow builders should be treated like production application platforms, not harmless local dashboards.

References

  1. Cybersecurity and Infrastructure Security Agency, Known Exploited Vulnerabilities catalog entry for CVE-2026-55255.
  2. GitHub Advisory Database, GHSA-qrpv-q767-xqq2 / CVE-2026-55255.
  3. Sysdig Threat Research Team, Understanding Langflow CVE-2026-55255, June 26, 2026.
  4. NIST National Vulnerability Database, CVE-2026-55255 detail page.
  5. Help Net Security, Attackers using Langflow flaw for credential harvesting, July 8, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment