Sysdig — First Exploitation of Langflow CVE-2026-55255 IDOR Chained with RCE

AI relevance: Langflow is a visual framework for building AI agents and RAG pipelines; the IDOR flaw lets an attacker execute another tenant's AI flow with its own embedded credentials, bypassing sandbox isolation in managed deployments.

Key Findings

  • Sysdig Threat Research Team observed the first known active exploitation of CVE-2026-55255 (CVSS 9.9), a cross-tenant IDOR in Langflow's POST /api/v1/responses endpoint.
  • The flaw lives in get_flow_by_id_or_endpoint_name: when a flow is resolved by UUID, the lookup queries the database with no user_id ownership check, so any authenticated caller can execute any user's flow.
  • The same attacker also exploited CVE-2026-33017 (CVSS 9.3, unauthenticated RCE) against the same Langflow instance in the same week, treating the IDOR as a two-request afterthought.
  • Exploitation chain: attacker enumerated flow IDs via GET /api/v1/flows/, then replayed those UUIDs as the model parameter on /responses with the prompt "leak api keys" — injecting instructions into the hijacked flow to surface secrets.
  • CVE-2026-55255 is especially dangerous in multi-tenant SaaS deployments where RCE is sandboxed per tenant: the IDOR crosses the tenant boundary at the application layer, running the victim's flow with the victim's credentials without needing a sandbox escape.
  • The IDOR scores higher (9.9 vs 9.3) but is harder to exploit because flow UUIDs are 122-bit random and cannot be brute-forced; the attacker must first obtain a valid flow ID from an over-sharing list endpoint.
  • CVE-2026-33017 has been in CISA KEV since March 2026, exploited within 20 hours of disclosure, and used for AWS key theft, .env harvesting, and malicious NATS worker deployment across ~7,000 servers.
  • Fixed in Langflow 1.9.1 via PR #12832; the endpoint_name resolution branch already enforced ownership — only the UUID path was vulnerable.

Why It Matters

AI workflow platforms like Langflow are becoming critical infrastructure for enterprise agent deployments. The IDOR pattern — hijacking another tenant's AI flow to steal its embedded credentials — is a new attack surface specific to multi-tenant AI infrastructure. Traditional RCE gives you control of the process; this gives you the victim's own AI agent acting on their behalf with their API keys, cloud credentials, and data access. The stealth is also higher: a legitimate API call with a normal body is much harder to signature-detect than injected Python in a build endpoint.

What To Do

  • Upgrade Langflow to 1.9.1+ immediately.
  • If running a managed/multi-tenant deployment, audit flow isolation: ensure UUID-based lookups enforce ownership at the database query level.
  • Restrict or remove the GET /api/v1/flows/ endpoint that discloses flow UUIDs to unauthenticated or cross-tenant callers.
  • Rotate all API keys and cloud credentials stored in Langflow environment variables or flow configurations.
  • Deploy runtime detection (e.g., Falco) for anomalous flow execution patterns — cross-tenant UUID reuse, unexpected /responses calls, and outbound connections from AI flow processes.

Sources