External risk intelligence

Langflow Insecure Direct Object Reference Vulnerability Allows Flow Execution

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-55255

Langflow is an application used for building and deploying AI agents and workflows. These tools are frequently deployed as internet-facing web applications or API services to allow remote access for users and integration with external systems, making the web-based API endpoints commonly reachable from the public internet.

Langflow

before 1.9.2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Langflow, a tool for building AI agents, has a critical security flaw that could allow an authenticated user to access and potentially manipulate any AI workflow created by another user. This vulnerability stems from how the system handles direct object references within its API, meaning a malicious actor with legitimate access could exploit it to view or alter sensitive AI processes.

  • Authenticated users can access other users' AI workflows.
  • Protects sensitive AI agent and workflow data.
  • Confirm relevance and exposure for AI workflow tools.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Langflow could exploit a vulnerability in the API to execute any AI workflow belonging to another user. This is achieved by targeting a specific API endpoint and manipulating the request to reference a different user's workflow. Successful exploitation could lead to unauthorized access and modification of AI agent functionality.

  • Authenticated access to the application.
  • Manipulating requests to the API endpoint.
  • Unauthorized execution of other users' workflows.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated user to execute any AI flow belonging to another user. This is possible by manipulating a request to the API to specify a different user's flow ID.

  • User's AI flows.
  • Authenticated user sends malicious request.
  • Unauthorized flow execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Insecure Direct Object Reference vulnerability in Langflow's `/api/v1/responses` endpoint requires action from teams responsible for application security and the Langflow platform itself, likely including platform engineers or those managing AI/ML infrastructure. The first practical step is to confirm which Langflow instances are deployed, assess their accessibility and criticality, identify the accountable owner for each instance, and then prioritize remediation based on potential impact.

  • Identify and confirm application owners.
  • Verify reachability and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Langflow?

Langflow is a software platform designed for developers to build, test, and deploy AI-driven agents and complex automation workflows. It provides a visual interface for connecting AI models and data processing tools. Because these workflows often involve proprietary logic or sensitive data, Langflow is frequently hosted as a web service or API to support remote collaboration and integration with other external software systems.

What does CWE-639 mean for CVE-2026-55255?

This CVE involves an Insecure Direct Object Reference (IDOR) vulnerability, classified as CWE-639. In plain terms, this means the software uses a unique identifier—like a flow ID—to access data but fails to verify if the person making the request actually has permission to see or use that specific object. Because of this oversight in the /api/v1/responses endpoint, a user can interact with AI workflows they do not own simply by changing the ID in their request.

How is this Langflow vulnerability triggered?

An attacker triggers this by sending a specifically crafted request to the /api/v1/responses endpoint while authenticated as a legitimate user. They simply replace the ID of their own workflow with the ID of a target workflow belonging to someone else. It is important to note that this requires a valid account; an unauthenticated user on the open internet cannot trigger the flaw without first gaining access to the system.

Is my Langflow instance at risk?

According to Halo Surface Signal, Langflow instances are frequently deployed as internet-facing web applications or API services. If your installation is reachable from the public internet, it faces a higher likelihood of being targeted compared to instances restricted to a private, internal-only network. You should prioritize assessing any instance that is accessible to external users or integrated with public-facing systems.

What should I do to secure my Langflow deployment?

The most effective first step is to upgrade to Langflow version 1.9.2 or later, as this release contains the fix for the IDOR vulnerability. Before updating, identify all running instances of Langflow in your environment, determine their accessibility level, and coordinate with the owners of those instances to schedule the maintenance window required to apply the patch and restore proper authorization checks.

References