```html ``` Langflow Just Hit the KEV List for the Fourth Time. We Called This Exact Attack Surface in March — 20 Hours After the First One.
top of page

Langflow Just Hit the KEV List for the Fourth Time. We Called This Exact Attack Surface in March — 20 Hours After the First One.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 8 minutes ago
  • 4 min read

On July 7, CISA added CVE-2026-55255 to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch it by the end of the week under Binding Operational Directive 26-04. The vulnerable product is Langflow — the open-source, drag-and-drop builder people use to wire up AI agents and LLM workflows. This is the fourth time Langflow has landed on the KEV list. We want to talk about why that number matters more than any single one of the flaws.



What the new flaw is


CVE-2026-55255 is an insecure direct object reference — an IDOR — in Langflow's responses endpoint. In plain terms: the endpoint takes a flow identifier from whoever is calling it and then runs that flow, but it never checks that the caller actually owns the flow they named. So an authenticated user on a shared or multi-tenant Langflow instance can supply someone else's flow ID and execute someone else's AI pipeline. It affects every version before 1.9.2.


That sounds abstract until you remember what a Langflow flow contains: API keys to model providers, connections to internal data, and — critically — components that can shell out to the operating system. Sysdig's Threat Research Team, which first saw this exploited in the wild on June 25 (roughly two weeks before CISA listed it), watched attackers do exactly that. They abused the authorization bypass to run a flow that injected a custom Langflow component, used it to execute a shell command, and pulled down a second-stage implant. Cross-tenant flow access became remote code execution became a foothold. The fix is Langflow 1.9.2 or later — upgrade every production and development instance.



Why the fourth time is the story


Here is the record, and this is the part we can stand behind with timestamps.


On March 21, 2026, we published a post titled "The AI Agent Builder Got Owned in 20 Hours." It was about CVE-2026-33017, a critical Langflow code-injection flaw — one HTTP request, no authentication, full remote code execution, and your AI pipeline keys. The thing that made it worth writing was not the CVSS number. It was the twenty hours: the advisory dropped with no public proof-of-concept, and attackers built working exploits from the advisory text alone and were inside production instances before lunch the next day.


We did not write that post to call a specific future CVE. Nobody can honestly do that. We wrote it to name a class: the AI-agent-builder tier is a structurally soft surface. It is young software, shipping fast, sitting on the most valuable secrets in the building — the keys that let an AI act — and it is being deployed straight into production by teams who treat it like a notebook, not like an internet-facing application server. When software like that gets a vulnerability, the gap between disclosure and exploitation collapses, because the attackers already know the target is soft and the reward is high.


Since that March post, CISA's own catalog has proven the class four times over. Langflow's missing-authentication RCE from May 2025 (CVE-2025-3248). The code-injection flaw we wrote about (CVE-2026-33017). The CORS-and-refresh-token origin-validation flaw (CVE-2025-34291). And now this authorization bypass (CVE-2026-55255). Same product, four independent roads to code execution or account takeover, all with confirmed real-world exploitation. That is not bad luck. That is a category telling you what it is.



The honest part


Held to about ninety-five percent, as always. We did not detect CVE-2026-55255 first — Sysdig did, and they did the hard reversing on the multi-stage loader; credit to their research team. Our claim is narrower and, we think, more useful than a scoop: in March we told you the AI-agent-builder surface was going to keep bleeding, we told you why, and the KEV catalog has now agreed with us four times. The value in reading us is not that we beat Sysdig to this one attack. It is that we named the pattern early enough that "patch Langflow fast and treat it like the exposed application server it is" was already our standing advice a full season before this week's fire drill.


If you run Langflow, or Flowise, or any of the visual AI-agent builders, the operational takeaway is the same one we gave in March and it did not need this CVE to be true: these tools are internet-facing application servers that hold the keys to make an AI act on your behalf. Put them behind authentication you actually trust. Do not expose them to the internet. Patch them the day an advisory lands, because the twenty-hour window is real. And assume the next Langflow KEV entry is already being written — because if the last sixteen months are any guide, it is.


The pattern was the prediction. The CVE numbers are just the receipts arriving on schedule.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page