CVE-2026-55255 | Langflow is a tool for building and deploying AI-powered age… | CVSS 9.9 CRITICAL

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.

Metadata

CVE ID: CVE-2026-55255
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-16 16:44 UTC
Published: 2026-06-23 16:28 UTC
Last updated: 2026-06-23 17:32 UTC
Primary CWE: CWE-639
CWE-639: Authorization Bypass Through User-Controlled Key
Vendor / Product: langflow-ai / langflow
Sources: cve.org · NVD

Severity & Metrics

9.9 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
langflow-ai	langflow	—	< 1.9.2

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	CWE-639: Authorization Bypass Through User-Controlled Key

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.9	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

References (2)

https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2 https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2
https://github.com/langflow-ai/langflow/pull/12832 https://github.com/langflow-ai/langflow/pull/12832