Patch Langflow now: CISA flags CVE-2026-55255 as actively exploited
CISA added Langflow CVE-2026-55255 to the Known Exploited Vulnerabilities catalog, giving federal agencies until July 10, 2026 to mitigate an authorization flaw in AI workflow execution.
Confirmed: CISA added Langflow CVE-2026-55255 to its Known Exploited Vulnerabilities catalog on July 7, 2026. The flaw affects Langflow versions before 1.9.2 and lets an authenticated attacker execute another user's flow by supplying that flow's ID, which can expose API keys and connected service credentials inside AI workflows.

What changed
CISA's KEV listing changes this from a patch-planning item into an exploited-risk item. Federal civilian agencies have a July 10, 2026 mitigation deadline, and private teams running Langflow should treat the same date as a practical urgency marker.
The underlying bug is an authorization failure in the /api/v1/responses endpoint. The GitHub advisory says affected versions before 1.9.2 let an authenticated attacker invoke flows they do not own by passing a victim flow identifier.
| Item | Product | Affected versions | Fixed version | Immediate action |
|---|---|---|---|---|
| CVE-2026-55255 | Langflow | Before 1.9.2 | 1.9.2 | Upgrade and review flow access logs |
| Risk type | AI workflow authorization | Multi-user and managed deployments are most exposed | Patch plus credential review | Rotate secrets if flow abuse is suspected |
Why this is early
CISA listed the vulnerability on July 7, 2026, and the public remediation window is short. Sysdig says it observed exploitation on June 25, 2026, including activity aimed at harvesting embedded credentials from hijacked flows.
The CISA entry confirms known exploitation, while the GitHub advisory confirms the affected endpoint and fixed version. Sysdig and Help Net Security provide exploitation context, but defenders should base remediation on the vendor advisory and their own Langflow deployment state.
Key takeaways
- Langflow versions before 1.9.2 are affected.
- The bug lets an authenticated attacker execute flows owned by other users by supplying a target flow ID.
- CISA's KEV listing means exploitation is observed, not merely theoretical.
- Sysdig reports credential-harvesting behavior against Langflow workflows.
- Teams should patch, review logs, and rotate exposed LLM, cloud, database, and integration keys where needed.
Availability and access
The fix is available in Langflow 1.9.2. If you run Langflow through containers, internal platforms, notebooks, or managed environments, verify the actual runtime version, not just the repository branch or package lockfile.
The highest-risk setups are multi-user Langflow instances where flows carry provider keys, database credentials, internal URLs, or production integrations. Single-user local installs still need patching, but cross-tenant flow execution is the sharper operational risk.
Practical LinkLoot angle
AI workflow builders often connect models to the most valuable credentials in a stack: OpenAI keys, Anthropic keys, vector databases, cloud storage, CRMs, and internal APIs. CVE-2026-55255 is a reminder that agent-builder tools need normal application authorization controls, not just workspace permissions and UI boundaries.
Use this as a fast audit trigger. Inventory public and shared Langflow instances, check for versions before 1.9.2, inspect flow execution events around June 25 onward, and rotate secrets embedded in flows that untrusted users could have reached.
For broader agent-tool risk checks, keep LinkLoot's /guides/ai-agent-tools guide handy.
What to verify before you act
- Confirm the running Langflow version on every hosted, containerized, and developer instance.
- Read the GitHub advisory and confirm whether your endpoint exposure matches the affected path.
- Search logs for unusual
/api/v1/responsescalls using flow IDs outside the requesting user's ownership. - Rotate LLM provider keys, cloud keys, database secrets, and webhook tokens embedded in exposed flows.
- Review whether your Langflow instance is multi-tenant, internet-facing, or reachable through a VPN with broad user access.
Source check
Confirmed by:
- CISA's Known Exploited Vulnerabilities catalog entry for CVE-2026-55255.
- Langflow's GitHub security advisory, which lists the affected versions and patched release.
Independent context:
- Sysdig's threat research report describes observed exploitation and credential-harvesting behavior.
- Help Net Security summarizes the July 2026 KEV listing and defender impact.
It is an authorization flaw that lets an authenticated attacker execute another user's Langflow flow by supplying that flow's ID.
