CISA — Langflow Becomes First AI Agent Platform in KEV Catalog (CVE-2026-55255)

AI relevance: Langflow is a visual builder for LLM agent pipelines and RAG workflows; its compromise exposes API keys, cloud credentials, and model-provider tokens stored in environment variables across every connected tenant.

  • On July 7, 2026, CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog under Binding Operational Directive 26-04, with a remediation deadline of July 10.
  • This marks the first time an AI agent orchestration platform appears in the KEV catalog — a milestone that signals the agentic AI stack is now a confirmed attack surface in active exploitation, not just theoretical risk.
  • CVE-2026-55255 is a cross-tenant insecure direct object reference (IDOR) in Langflow's /api/v1/responses endpoint: the get_flow_by_id_or_endpoint_name helper performed no ownership check, so any authenticated user could execute another user's flows by specifying their flow ID.
  • CISA lists the CVSS at 6.1, but KEVIntel and CIRCL assign 9.9 — the gap reflects how cross-tenant scope impact is weighted differently depending on whether you treat the AI pipeline layer as a trust boundary.
  • Sysdig documented a real campaign (June 22–25) where a single operator at 45.207.216[.]55 combined this IDOR with unauthenticated RCE (CVE-2026-33017) against the same Langflow instance: authenticate, enumerate flow IDs via /api/v1/flows/, then fire IDOR requests with the prompt set to "leak api keys".
  • The fix shipped in Langflow 1.9.2 adds explicit ownership validation — if the flow's stored user_id doesn't match the authenticated session's user_id, the endpoint returns 404 instead of executing the flow.
  • Langflow instances are especially high-value targets because they routinely hold API keys for OpenAI, Anthropic, Google Gemini, and cloud providers (AWS, Azure, GCP, Alibaba, Tencent) in their environment — a compromised instance is effectively a credential vault.
  • This same Langflow vulnerability class was the entry point for the JadePuffer agentic ransomware operation, the first documented case of an LLM-driven end-to-end ransomware attack, which exploited CVE-2025-3248 (missing auth, CVSS 9.8) to achieve initial code execution.

Why it matters

AI agent orchestration platforms sit at the intersection of every connected service, every model provider, and every data source in an enterprise AI deployment. When one of these platforms has a cross-tenant authorization flaw, the blast radius isn't just one user's data — it's every LLM API key, every cloud credential, and every RAG pipeline configuration stored in the environment. CISA's decision to add Langflow to the KEV catalog is a clear signal: the agentic AI stack is no longer an abstract concern. It's being actively targeted, and the vulnerabilities are in the authorization and isolation layer, not just the model layer.

What to do

  • Update Langflow to 1.9.2 or later immediately — the fix adds ownership validation that blocks cross-tenant flow execution.
  • If you run Langflow in a multi-tenant environment, audit your flow execution logs for any requests to /api/v1/responses with flow IDs that don't belong to the requesting user.
  • Rotate all LLM provider API keys and cloud credentials stored in Langflow environment variables if your instance was exposed before the patch.
  • Check for the companion RCE flaw (CVE-2026-33017) — if both were exploited, the attacker had full code execution plus cross-tenant flow access.
  • Network-segment Langflow instances away from direct internet exposure; these platforms should sit behind authentication proxies with tenant isolation enforced at the network layer, not just the application layer.

Sources