CVE-2026-55255 langflow-ai CVE debrief

Who should care

Organizations using Langflow versions prior to 1.9.2 should be aware of this critical vulnerability. Attackers can exploit this vulnerability to execute arbitrary flows belonging to other users, potentially leading to unauthorized access and data breaches. Users of Langflow should prioritize upgrading to version 1.9.2 or later to mitigate this vulnerability.

Technical summary

The CVE-2026-55255 vulnerability is an Insecure Direct Object Reference (IDOR) in the /api/v1/responses endpoint of Langflow. This endpoint allows authenticated attackers to execute any flow belonging to another user by specifying the victim's flow ID in the request. The vulnerability has a CVSS score of 9.9 and is considered CRITICAL. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L. The weakness associated with this vulnerability is CWE-639.

Defensive priority

This vulnerability has a high defensive priority due to its critical severity and potential impact on Langflow users. Organizations should prioritize patching this vulnerability to prevent potential attacks.

Recommended defensive actions

• Upgrade Langflow to version 1.9.2 or later
• Review and monitor /api/v1/responses endpoint usage
• Implement additional security measures to detect and prevent IDOR attacks
• Conduct regular security audits and vulnerability assessments
• Consider implementing compensating controls to mitigate potential attacks

Evidence notes

The CVE-2026-55255 vulnerability was published in the NVD database and has a detailed description of the vulnerability. The vendor, Langflow, has provided a patch for this vulnerability in version 1.9.2. The vulnerability has a high CVSS score and is considered CRITICAL.

Official resources