Sysdig — First Exploitation of Langflow CVE-2026-55255 IDOR Chained with RCE
AI relevance: Langflow is a visual framework for building AI agents and RAG pipelines; the IDOR flaw lets an attacker execute another tenant's AI flow with its own embedded credentials, bypassing sandbox isolation in managed deployments.
Key Findings
- Sysdig Threat Research Team observed the first known active exploitation of CVE-2026-55255 (CVSS 9.9), a cross-tenant IDOR in Langflow's
POST /api/v1/responsesendpoint. - The flaw lives in
get_flow_by_id_or_endpoint_name: when a flow is resolved by UUID, the lookup queries the database with nouser_idownership check, so any authenticated caller can execute any user's flow. - The same attacker also exploited CVE-2026-33017 (CVSS 9.3, unauthenticated RCE) against the same Langflow instance in the same week, treating the IDOR as a two-request afterthought.
- Exploitation chain: attacker enumerated flow IDs via
GET /api/v1/flows/, then replayed those UUIDs as themodelparameter on/responseswith the prompt"leak api keys"— injecting instructions into the hijacked flow to surface secrets. - CVE-2026-55255 is especially dangerous in multi-tenant SaaS deployments where RCE is sandboxed per tenant: the IDOR crosses the tenant boundary at the application layer, running the victim's flow with the victim's credentials without needing a sandbox escape.
- The IDOR scores higher (9.9 vs 9.3) but is harder to exploit because flow UUIDs are 122-bit random and cannot be brute-forced; the attacker must first obtain a valid flow ID from an over-sharing list endpoint.
- CVE-2026-33017 has been in CISA KEV since March 2026, exploited within 20 hours of disclosure, and used for AWS key theft,
.envharvesting, and malicious NATS worker deployment across ~7,000 servers. - Fixed in Langflow 1.9.1 via PR #12832; the
endpoint_nameresolution branch already enforced ownership — only the UUID path was vulnerable.
Why It Matters
AI workflow platforms like Langflow are becoming critical infrastructure for enterprise agent deployments. The IDOR pattern — hijacking another tenant's AI flow to steal its embedded credentials — is a new attack surface specific to multi-tenant AI infrastructure. Traditional RCE gives you control of the process; this gives you the victim's own AI agent acting on their behalf with their API keys, cloud credentials, and data access. The stealth is also higher: a legitimate API call with a normal body is much harder to signature-detect than injected Python in a build endpoint.
What To Do
- Upgrade Langflow to 1.9.1+ immediately.
- If running a managed/multi-tenant deployment, audit flow isolation: ensure UUID-based lookups enforce ownership at the database query level.
- Restrict or remove the
GET /api/v1/flows/endpoint that discloses flow UUIDs to unauthenticated or cross-tenant callers. - Rotate all API keys and cloud credentials stored in Langflow environment variables or flow configurations.
- Deploy runtime detection (e.g., Falco) for anomalous flow execution patterns — cross-tenant UUID reuse, unexpected
/responsescalls, and outbound connections from AI flow processes.