Active Exploits Trigger CISA Patch Order for Langflow 1.9.1
CISA has added a critical authorization bypass vulnerability in Langflow to its Known Exploited Vulnerabilities catalog, requiring patches by July 10, 2026.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency patch directive for a critical authorization bypass vulnerability in Langflow, ordering federal agencies to update their systems by July 10, 2026. According to the mandate detailed on Tuesday, the flaw, tracked as CVE-2026-55255, carries a CVSS score of 9.9 and affects all Langflow versions prior to 1.9.1. Security researchers at Sysdig first observed active exploitation in the wild on June 25.
Vulnerability Mechanism
The vulnerability operates as an Insecure Direct Object Reference (IDOR) flaw within the Langflow API. An authenticated attacker can send a crafted request to the /api/v1/responses endpoint containing a victim’s UUID (flow_id). This request bypasses authorization checks, allowing the attacker to access or execute AI flows belonging to other users.
Threat actors perform host reconnaissance to harvest these flow IDs before executing the bypass. If you evaluate AI agent frameworks for production use, this flaw exposes the underlying pipeline logic and connected data stores to anyone who can authenticate to the system.
Attack Chain and Impact
Sysdig reports that financially motivated actors are targeting AI hosts to hijack high-value compute resources and harvest sensitive credentials. Successful exploitation routinely leads to the theft of LLM API keys and cloud infrastructure credentials processed by the compromised flows.
In observed campaigns, attackers chain this authorization bypass with CVE-2026-33017, an older remote code execution bug patched in March 2026. This combination enables second-stage implant delivery. Attackers use this access to drop loaders and incorporate the underlying compute hardware into botnets. This mirrors previous campaigns where Langflow instances were compromised for unauthorized access.
Exposure and Remediation
Cybersecurity firm ProCircular identified over 74,000 Langflow instances exposed directly to the public internet as of June 2026. Many of these deployments are used for demonstration purposes and run with default authentication settings, making them trivial targets for automated scanning and exploitation.
Update all Langflow deployments to version 1.9.1 immediately. Restrict instance access to trusted internal networks and disable public internet exposure for all development and demo environments.
Get Insanely Good at AI
The book for developers who want to understand how AI actually works. LLMs, prompt engineering, RAG, AI agents, and production systems.
Keep Reading
How to Use Symbolic Execution for Automated BPF Analysis
Learn how Cloudflare uses the Z3 theorem prover to instantly generate magic packets and reverse-engineer BPF bytecode for security research.
Active RCE Exploits Target 7,000 Exposed Langflow Instances
Attackers are actively exploiting a path traversal vulnerability in Langflow's file upload endpoint to achieve unauthenticated remote code execution.
Hackers Exploit Critical RCE Flaw in Marimo Python Notebooks
A critical pre-auth vulnerability in Marimo is under active exploitation, allowing attackers to gain full shell access and steal sensitive API keys.
JadePuffer Ransomware Deploys Autonomous Llama 4 Cyberattack
The JadePuffer ransomware attack marks the first confirmed use of an autonomous LLM agent executing an end-to-end cyberattack without human intervention.
OpenClaw Users Warned to Assume Compromise After Major Breach
The popular OpenClaw AI agent framework faces a security crisis as researchers uncover critical RCE vulnerabilities and thousands of exposed instances.