CVE-2026-55255: Langflow Authorization Bypass Through User-Controlled Key Vulnerability

Summary

Langflow has a critical vulnerability (CVE-2026-55255) that allows authenticated users to bypass authorization and execute any flow belonging to another user by manipulating the request with the victim's flow ID. CISA is mandating timely mitigation in accordance with vendor instructions and their BOD 26-04 guidance.

IFF Assessment

FOE

This vulnerability allows an authenticated attacker to execute arbitrary flows belonging to other users, posing a significant risk to data and system integrity.

Severity

9.9 Critical

The CVSS score is estimated to be high due to the potential for an authenticated attacker to execute any flow belonging to another user, leading to a significant impact on confidentiality, integrity, and availability. The attack vector is likely network-based and requires user interaction to trigger the bypass.

CISA KEV: Listed as actively exploited. Federal patch due: July 10, 2026. Known ransomware use: Unknown.

Defender Context

This vulnerability in Langflow highlights the ongoing risks associated with authorization bypasses in applications, especially those handling user-created content or workflows. Defenders should prioritize applying vendor-provided patches or mitigations promptly and assess the potential for exploitation by threat actors seeking to gain unauthorized access to other users' resources.

Read Full Story →