>samit_hota
Back to advisories
SH-2026-019HighOpen

CISA Warns of Active Exploitation of Langflow IDOR for Credential Harvesting

Samit Hota·
CVE ID
CVE-2026-55255
CVSS Score
N/A
Affected Products
Langflow versions prior to 1.9.2
#news#langflow

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-55255, in the open-source Langflow platform. This flaw has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring its critical nature and the immediate risk it poses. Threat actors are leveraging this vulnerability for credential harvesting, targeting instances of Langflow to steal sensitive API keys and other credentials embedded within AI workflows.

Langflow is an open-source visual framework designed for building AI agents and workflows. It is widely used by individual developers, enterprises, and service providers to create and manage complex AI applications. The platform’s ability to integrate with various external systems and embed API keys directly within its “flows” makes it a high-value target for adversaries seeking to gain access to broader cloud environments and critical services.

Technical Details

CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) vulnerability located within Langflow’s /api/v1/responses endpoint. In versions of Langflow prior to 1.9.2, an authenticated attacker can execute any flow belonging to another user simply by providing that flow’s ID in a request. The critical flaw lies in the endpoint’s failure to properly validate authorization; it accepts a client-supplied flow identifier but does not check if the requesting user actually owns or is authorized to invoke that particular flow.

This lack of authorization checking means that if an attacker has even low-level authenticated access to a Langflow instance, they can enumerate or guess flow IDs and then execute flows that belong to other users, potentially with higher privileges. Given that Langflow flows routinely embed API keys, credentials, and integrations with external systems, hijacking another user’s flow can cascade into cross-tenant data exposure and secret theft. Researchers observed an operator injecting a “leak api keys” prompt into hijacked flows to exfiltrate these embedded credentials. This technique allows an attacker to effectively “run” someone else’s AI agent with the goal of extracting sensitive configuration data, including API keys for various cloud services or other AI models.

Real-World Impact

The active exploitation of CVE-2026-55255 for credential harvesting presents a severe risk. For single self-hosted instances, while other vulnerabilities might offer Remote Code Execution (RCE), the IDOR specifically facilitates credential theft, which is often a precursor to broader attacks. In multi-tenant or managed SaaS environments, the IDOR vulnerability is particularly dangerous as it allows for cross-tenant data exposure and secret theft, breaching the isolation between different users or organizations using the same Langflow service.

Successful exploitation can lead to:

  • Unauthorized Access to Connected Services: Stolen API keys and credentials can grant attackers access to cloud accounts, databases, and other third-party services integrated with Langflow workflows.
  • Data Exfiltration: Sensitive data processed or stored within AI workflows can be compromised.
  • Supply Chain Attacks: If Langflow is used in development or production pipelines, compromised credentials could facilitate injecting malicious components or disrupting operations.
  • Financial Loss and Reputational Damage: The theft of credentials can lead to financial fraud, unauthorized resource usage, and significant damage to an organization’s reputation.

CISA has mandated that U.S. federal civilian agencies mitigate this vulnerability by July 10, 2026, highlighting the urgency and potential for widespread impact.

Threat Landscape

The emergence of AI-driven platforms like Langflow as targets for active exploitation marks a significant evolution in the threat landscape. As organizations increasingly adopt AI agents and workflows, the security of the underlying platforms becomes paramount. The exploitation of an IDOR for credential harvesting demonstrates that attackers are actively exploring novel ways to compromise AI systems, not just through traditional web application flaws but also by understanding how these systems manage and utilize sensitive data like API keys.

The Sysdig Threat Research Team first observed CVE-2026-55255 being exploited in the wild on June 25, 2026, where a single operator exploited both this IDOR and a code injection vulnerability (CVE-2026-33017) against the same instance. This indicates that attackers are combining different attack vectors to achieve their objectives, treating the IDOR as an effective “two-request afterthought” to cover more exploitation possibilities, especially when RCE might not be immediately available or as efficient for specific data exfiltration goals. The inclusion in CISA’s KEV catalog confirms that this is not an isolated incident but a actively leveraged attack vector.

Remediation

Organizations utilizing Langflow must take immediate action to protect their instances from CVE-2026-55255.

  • Update Langflow Immediately: The most critical step is to update Langflow to version 1.9.2 or later, which contains the fix for this IDOR vulnerability.
  • Review for Compromise: Organizations should check for the presence of indicators of compromise (IoCs) as outlined by security researchers (e.g., Sysdig and SentinelOne), looking for any signs of unauthorized flow execution or credential exfiltration.
  • Rotate API Keys and Credentials: All API keys, tokens, and other sensitive credentials embedded within Langflow flows, particularly those for critical services, should be rotated immediately following patching. Assume that any credentials present in a vulnerable instance could have been compromised.
  • Implement Principle of Least Privilege: Ensure that Langflow users and the flows themselves only have the minimum necessary permissions to perform their functions.
  • Monitor AI Workflows: Implement robust monitoring for all AI workflows to detect unusual activities, such as unexpected API calls, data access patterns, or modifications to flows.
  • Network Segmentation: Isolate Langflow instances on the network to limit potential lateral movement in case of compromise.
  • Secure Credential Management: Re-evaluate how credentials are stored and managed within Langflow. Explore more secure methods for secret management that do not embed keys directly in flows where they might be vulnerable.

By promptly applying updates and implementing these security measures, organizations can significantly reduce their exposure to this actively exploited vulnerability.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call