CVE-2026-55255CVSS 8.4CISA KEVKnown Exploited
CVE-2026-55255: Langflow Authorization Bypass Through User-Controlled Key Vulnerability
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.
- CVSS
- 8.4 HIGH
- EPSS
- 14.15%
- Known exploited
- yes
- Product
- Langflow
What is known
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.