CISA Mandates Urgent Patching for Actively Exploited Langflow Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) has issued a critical directive for federal agencies, demanding immediate patching for an actively exploited Insecure Direct Object Reference (**IDOR**) vulnerability in the **Langflow** visual AI development framework. This flaw, tracked as **CVE-2026-55255**, allows authenticated attackers to access sensitive data and resources from other users' AI workflows, posing significant risks to federal systems and AI development environments.

The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has given federal agencies a strict deadline to patch an actively exploited vulnerability within the **Langflow** visual framework, a popular tool for building AI agents.
**Langflow** has become an attractive target for threat actors due to its widespread use in the AI development ecosystem. It offers a user-friendly drag-and-drop interface for creating executable pipelines and provides a **REST API** for programmatic execution.
### The IDOR Vulnerability: CVE-2026-55255
This critical security flaw, identified as **CVE-2026-55255**, is an Insecure Direct Object Reference (**IDOR**). It enables authenticated attackers to gain unauthorized access to other users' AI flows. This is achieved by sending a maliciously crafted request to the `/api/v1/responses` endpoint, incorporating the victim's **UUID** (flow_id).
Successful exploitation of **CVE-2026-55255** allows threat actors to access sensitive data processed by the victim's flows and consume their computational resources.
### In-the-Wild Exploitation and Financial Motivation
**Sysdig's Threat Research Team (TRT)** first observed in-the-wild exploitation of **CVE-2026-55255** on June 25. Their analysis indicated that the primary objective was "code execution and second-stage implant delivery (loader/dropper class)."
"From what we observed, itβs clear that the threat actor is opportunistic and financially motivated," the **Sysdig** researchers stated. "In short, itβs clear that the motive was money via the two reliable yields of a compromised AI host: its compute (botnet/implant) and its credentials (LLM/cloud keys), both of which were pursued with cheap, repeatable, low-sophistication tooling."
### CISA's Mandate for Federal Agencies
On Tuesday, **CISA** added the **CVE-2026-55255** authorization bypass to its **Known Exploited Vulnerabilities Catalog (KEV)**. This addition triggered a mandate under Binding Operational Directive (**BOD**) 26-04, requiring U.S. Federal Civilian Executive Branch (**FCEB**) agencies to secure their affected devices by Friday.
**CISA** emphasized the severity of such vulnerabilities, stating, "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." The agency further advised, "Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to **BOD** 26-04 patching guidelines."
### A Pattern of Langflow Exploits
This is not the first time **CISA** has flagged **Langflow** vulnerabilities for urgent attention. In May 2025, a missing authentication security issue (**CVE-2025-3248**) was added to the **KEV** catalog. This flaw was later flagged as exploited by ransomware gangs, specifically the **JadePuffer** operation, which leveraged it to dump **Langflow's PostgreSQL** database.
Furthermore, in March 2026, a code injection vulnerability (**CVE-2026-33017**) in **Langflow** was also added to the **KEV** catalog due to active exploitation.
Adding to the concerns, **VulnCheck** security researcher **Caitlin Condon** reported active exploitation of a high-severity **Langflow** path traversal vulnerability (**CVE-2026-5027**) since June. This flaw allows attackers to write arbitrary files to exposed servers.