// 2 ZERO-DAY · 4 CVE · 4 EXPLOIT · 1 ADVISORY IN THE LAST 24H
An IDOR in Langflow's /api/v1/responses endpoint lets authenticated attackers steal LLM and cloud credentials from other users' flows. CISA has mandated federal agencies patch by July 10, 2026.

On July 7, 2026, CISA added CVE-2026-55255 to the KEV catalog and ordered federal agencies to apply the fix within three days, by July 10. The vulnerability, an insecure direct object reference in Langflow's /api/v1/responses endpoint, allows an authenticated attacker to execute other users' flows and extract embedded credentials: LLM API keys, cloud service keys, and other secrets stored in the visual nodes of AI workflows.

The Sysdig Threat Research Team observed exploitation in the wild starting June 25, documenting an actor who injected "leak api keys" prompts into hijacked flows to harvest credentials from unsuspecting victims. The attack exploits an authorization flaw, not remote code execution, but its impact escalates dramatically in multi-tenant environments where the IDOR crosses tenant boundaries.

Key Takeaways
  • CVE-2026-55255 is an IDOR in the /api/v1/responses endpoint that enables arbitrary execution of other users' flows by specifying the victim's flow_id
  • Sysdig detected active exploitation from June 25, 2026, with prompt injection to extract credentials embedded in flow nodes
  • In multi-tenant/SaaS environments the vulnerability crosses tenant isolation boundaries, unlike the RCE CVE-2026-33017 which remains confined to a single tenant's sandbox
  • CISA mandated federal agency patching by July 10, 2026 via BOD 26-04, allowing only three days from KEV inclusion

How the IDOR Works in the Heart of AI Workflows

Langflow is an open-source platform for visually building agentic workflows: users connect nodes representing LLMs, databases, external APIs, and processing tools. In typical configurations, these nodes embed credentials directly in parameters: an OpenAI API key, an AWS connection string, a service token.

According to the NVD record for CVE-2026-55255, the /api/v1/responses endpoint does not verify that the user requesting execution owns the specified flow_id. An attacker with any valid account can supply another user's flow identifier and obtain full execution with the victim's privileges and credentials.

The Sysdig Threat Research Team described this mechanism as "riding the platform's own 'blessed' execution path": the attacker does not break the sandbox but traverses it legitimately, exploiting the execution path authorized by the platform itself. On self-hosted instances the impact is limited to the single installation; in multi-tenant SaaS deployments the boundary between customers collapses at the application layer.

The In-the-Wild Actor: Opportunism, Not Geopolitics

Sysdig's observations outline a pragmatic, profit-driven actor. As reported by BleepingComputer citing Sysdig's analysis: "From what we observed, it's clear that the threat actor is opportunistic and financially motivated... motive was money via the two reliable yields of a compromised AI host: its compute (botnet/implant) and its credentials (LLM/cloud keys)".

In the same week, on the same instances, the operator combined CVE-2026-55255 with CVE-2026-33017, a remote code execution vulnerability with CVSS 9.8. Sysdig noted a hierarchy of effort: "The operator poured sustained effort into [CVE-2026-33017] and treated [CVE-2026-55255] as a two-request afterthought, only adding it to their toolset to cover more exploitation possibilities".

This distinction is technically significant. On a single instance the RCE already enables total control; the IDOR adds little. But as Sysdig observed: "On a single self-hosted instance, there is nothing the Langflow IDOR vulnerability (CVE-2026-55255) can do that its RCE vulnerability (CVE-2026-33017) can't do". The real differentiation emerges in SaaS, where the IDOR "can cross the tenant boundary at the application layer", making it possible to access multiple customers' credentials without compromising the underlying infrastructure.

"the IDOR can cross the tenant boundary at the application layer, riding the platform's own 'blessed' execution path to run the victim's flow with the victim's credentials" — Sysdig Threat Research Team

Discrepancies on the Patch and CVSS

The NVD record lists affected versions as "prior to 1.9.2" with the fix in 1.9.2. SecurityWeek reports the patch in version 1.9.1, a conflict the dossier does not resolve. SecurityWeek assigns the vulnerability a CVSS 9.9; the NVD record shows the full CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L, which the National Vulnerability Database rates HIGH with a score of 8.4. This divergence does not alter the severity of the threat, but signals the need to verify the actually installed version through the project's official release notes.

The source does not specify whether a public proof-of-concept was released after Sysdig's observations, which at the time of detection indicated no public PoC.

What to Do Now

  • Update Langflow to version 1.9.2 per NVD, verifying any discrepancies with SecurityWeek's guidance on 1.9.1 through the project's official release notes
  • Restart multi-tenant SaaS instances with verification of application-layer tenant isolation, given that the vulnerability crosses boundaries the RCE does not
  • Inspect access logs for the /api/v1/responses endpoint to identify requests with flow_id belonging to other users during the period June 25 – July 7, 2026
  • Check for embedded credentials in exposed flow nodes, considering the observed actor explicitly targeted "LLM/cloud keys"

The Structural Risk of Agentic Platforms

The Langflow case highlights an architectural tension in AI platforms: the convenience of no-code/low-code that encourages embedding secrets in visual nodes translates into amplified damage when authorization controls fail. This is not the first time cloud credentials have been extracted from automated workflows, but the combination of in-the-wild exploitation, chaining with RCE, and cross-tenant traversability makes this pattern particularly dangerous for service providers offering Langflow as a managed service.

The three-day federal deadline imposed by CISA reflects this perception of systemic risk. BOD 26-04 applies to Langflow pressure typically reserved for traditional critical infrastructure, signaling that AI orchestration platforms are now considered part of the national security perimeter.

The specific identity of the operator remains unknown; Sysdig's assessments stop at the generic opportunistic-financial profile. The exact volume of compromised credentials has not been quantified by available sources.

Sources

Information verified against cited sources and current as of publication.

Sources


Sources and references
  1. helpnetsecurity.com
  2. bleepingcomputer.com
  3. securityweek.com
  4. nvd.nist.gov