Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in the Langflow AI framework to its Known Exploited Vulnerabilities catalog. This flaw, identified as CVE-2026-55255, has been observed being actively exploited in the wild by threat actors.
Langflow is an open-source visual tool used for developing AI agents and workflows, popular among individual developers and enterprises. The vulnerability, an insecure direct object reference (IDOR), exists in the /api/v1/responses endpoint. Versions of Langflow prior to 1.9.2 are affected.
An authenticated attacker can exploit CVE-2026-55255 by manipulating requests to execute any flow belonging to another user. This is possible because the endpoint accepts a flow ID without verifying the requesting user's authorization or ownership of that flow.
Researchers from the Sysdig Threat Research Team first detected exploitation of this vulnerability on June 25th. They observed a single attacker concurrently exploiting CVE-2026-55255 alongside CVE-2026-33017, a separate vulnerability enabling unauthenticated remote code execution.
The attackers are reportedly embedding prompts like "leak api keys" into hijacked flows to extract sensitive information. This includes API keys for AI services, cloud provider credentials, and database secrets, leading to potential cross-tenant data exposure and secret theft.
While CVE-2026-33017 can achieve similar outcomes on a single instance, the IDOR vulnerability (CVE-2026-55255) is particularly concerning in multi-tenant or managed SaaS environments. It can bypass tenant isolation at the application layer by leveraging the victim's credentials to execute their flows.
Sysdig characterized the actor as opportunistic and financially motivated, with a broader goal of achieving code execution and deploying implants. However, they also actively used the IDOR flaw to harvest embedded secrets.
In response to the threat, CISA has directed U.S. federal civilian agencies to mitigate CVE-2026-55255 by July 10, 2026. Agencies are also advised to search for indicators of compromise detailed by Sysdig and SentinelOne. CVE-2026-33017, added to the catalog earlier, should have already been addressed.





