Langflow IDOR via /api/v1/responses prior 1.9.2
CVE-2026-55255 Published on June 23, 2026
Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.
Known Exploited Vulnerability
This Langflow Authorization Bypass Through User-Controlled Key Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
The following remediation steps are recommended / required by July 10, 2026: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicab
Vulnerability Analysis
CVE-2026-55255 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. This vulnerability is known to be actively exploited by threat actors. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2026-55255 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.