HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55255Published Modified CNA GitHub_M

CVE-2026-55255: Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An Insecure Direct Object Reference (IDOR) vulnerability affects Langflow, a platform for building and deploying AI-powered agents and workflows. The flaw exists in the `/api/v1/responses` endpoint and is reachable over the network by any authenticated user with a low-privilege account. A successful attacker can execute flows belonging to other users by simply substituting a victim's flow ID in the request, enabling unauthorized access to another user's data and workflows, as well as the ability to trigger or tamper with their AI flows. The description references a fix in version 1.9.2, but no official fix version has been published upstream yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-55255 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Langflow. Any image carrying an affected version of the `langflow` package is flagged automatically.

Available
Triage

HarborGuard's triage capability scores this CVE at CVSS 9.9 Critical and weights it against each customer org's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within the customer's organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a confirmed upstream fix is published. In the meantime, customers can use HarborGuard's compensating-control recommendations to reduce exposure while awaiting the official patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Langflow service via HTTP/HTTPS.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker only needs a valid authenticated session to submit requests to the `/api/v1/responses` endpoint.

  • Victim interactionNot required

    No action from the victim is needed; the attacker directly references the victim's flow ID in a crafted API request.

  • Attack complexityDetail

    The exploit is reliable and condition-free; substituting a target flow ID in a standard API request requires no special timing, memory layout knowledge, or environmental setup.

Blast Radius

  • Reads the contents of another user's AI flows, potentially exposing proprietary logic, credentials, or sensitive data embedded in those workflows.
  • Executes flows belonging to other users, which can trigger downstream actions such as API calls, data writes, or AI model invocations under the victim's identity.
  • Modifies or disrupts another user's workflow execution by injecting or replaying flow runs, corrupting expected output state.
  • The vulnerability carries a Scope:Changed rating, meaning a successful attacker can affect resources outside their own security boundary, extending impact beyond the directly compromised account.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version has been confirmed for CVE-2026-55255 at this time, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream publication. While awaiting the fix, customers can apply compensating controls through HarborGuard's policy engine: consider network-policy isolation to restrict which services and users can reach the `/api/v1/responses` endpoint, apply egress filtering to limit what Langflow can reach if flows are executed maliciously, and where possible gate access to the endpoint behind an additional authorization layer or feature flag. For customers with auto-remediation enabled, the moment a confirmed fix version is detected upstream, HarborGuard will rebuild affected images at the patched version, run a regression test suite, and open a PR against affected workloads automatically. High and critical severity issues typically move from CVE publication to a merged patch PR in around 90 minutes for environments with auto-remediation enabled, once an upstream fix is available.

See how HarborGuard automates this
Affected packages
  • langflow-ai / langflow
    < 1.9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
References