Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-55255

CVE-2026-55255: Langflow Authentication Bypass Vulnerability

CVE-2026-55255 is an authentication bypass vulnerability in Langflow that allows authenticated attackers to execute flows belonging to other users. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-55255 Overview

CVE-2026-55255 is an Insecure Direct Object Reference (IDOR) vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw resides in the /api/v1/responses endpoint and affects all versions prior to 1.9.2. An authenticated attacker can execute any flow belonging to another user by supplying the victim's flow identifier in the request. The vulnerability is tracked under [CWE-639] (Authorization Bypass Through User-Controlled Key) and was patched in Langflow 1.9.2.

Critical Impact

Authenticated attackers can execute arbitrary flows owned by other users, leading to cross-tenant access, data exposure, and unauthorized invocation of AI workflows.

Affected Products

  • Langflow versions prior to 1.9.2
  • langflow:langflow package distributions
  • Self-hosted and containerized Langflow deployments

Discovery Timeline

  • 2026-06-23 - CVE-2026-55255 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-55255

Vulnerability Analysis

Langflow exposes the /api/v1/responses endpoint to authenticated users for executing defined flows. The endpoint accepts a flow identifier supplied by the client but fails to verify that the requesting user owns or is authorized to invoke that specific flow. This missing ownership check allows any authenticated user to reference another user's flow ID and trigger its execution. The defect is classified as [CWE-639], where authorization decisions rely on a user-controlled key without server-side validation. Because Langflow flows can contain sensitive AI agents, credentials, and integrations with external systems, unauthorized execution can cascade into broader data and integrity compromise.

Root Cause

The root cause is a missing authorization check between the authenticated session and the requested resource. The endpoint logic in versions prior to 1.9.2 resolves the flow object directly from the supplied identifier without confirming that the flow belongs to the caller or that the caller has been granted execution rights. See the GitHub Security Advisory GHSA-qrpv-q767-xqq2 for the maintainer's analysis.

Attack Vector

Exploitation requires network access to the Langflow API and valid authentication credentials for any user account on the target instance. The attacker enumerates or obtains a target flow ID, then issues a request to /api/v1/responses substituting the victim's flow ID. The server executes the flow under the attacker's session while accessing resources tied to the victim. No user interaction is required beyond the attacker's own request. Technical details of the fix are available in the Langflow Pull Request #12832.

Detection Methods for CVE-2026-55255

Indicators of Compromise

  • Requests to /api/v1/responses where the authenticated user ID does not match the owner of the referenced flow ID in application logs.
  • Unexpected flow executions appearing in audit history for accounts that did not initiate them.
  • Spikes in API calls referencing flow IDs across multiple distinct user accounts within a short time window.

Detection Strategies

  • Correlate authentication identifiers with flow ownership metadata in application logs to surface cross-user flow invocations.
  • Deploy web application firewall rules that flag enumeration patterns against /api/v1/responses with varied flow ID values.
  • Review Langflow audit trails for execution events that lack a corresponding UI session from the flow owner.

Monitoring Recommendations

  • Forward Langflow API access logs to a centralized analytics platform for cross-user authorization anomaly detection.
  • Alert on high-cardinality flow ID access patterns from individual authenticated sessions.
  • Track outbound connections initiated by Langflow workers to detect unexpected actions executed by hijacked flows.

How to Mitigate CVE-2026-55255

Immediate Actions Required

  • Upgrade Langflow to version 1.9.2 or later on all production and development instances.
  • Rotate any credentials, API keys, and secrets stored within flows that may have been exposed to unauthorized execution.
  • Audit flow execution history for unauthorized invocations during the exposure window.
  • Restrict network exposure of the Langflow API to trusted networks until patched.

Patch Information

The vulnerability is fixed in Langflow 1.9.2. The remediation adds an ownership and authorization check to the /api/v1/responses endpoint so that flows can only be executed by their owners or explicitly authorized users. Patch details are documented in Langflow Pull Request #12832 and the GHSA-qrpv-q767-xqq2 advisory.

Workarounds

  • Place Langflow behind an authenticating reverse proxy that restricts access to a minimal set of trusted operators until upgrade.
  • Disable shared multi-user access on the affected instance and operate single-tenant where feasible.
  • Block external access to the /api/v1/responses endpoint at the network layer if immediate patching is not possible.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.