What is CVE-2026-55255?
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.
Timeline
- 2026-06-23Published to the U.S. National Vulnerability Database (NVD)
- 2026-07-07Added to the CISA Known Exploited Vulnerabilities (KEV) catalog
- 2026-07-08NVD record last updated
- 2026-07-10CISA federal remediation deadline (BOD 22-01)
CISA Known Exploited Vulnerability
Langflow Authorization Bypass Through User-Controlled Key Vulnerability
Affected product
Langflow
Remediation Steps
- Apply the vendor security update for Langflow Langflow as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References
Referenced in our briefings & reports
- Vulnerability Priority Report – Week 2 of July 2026 (July 13 – 19)
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.