GHSA-qrpv-q767-xqq2: Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Summary
Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
Details
The vulnerability exists in the get_flow_by_id_or_endpoint_name helper function in src/backend/base/langflow/helpers/flow.py (lines 399-414).
When a flow is accessed via UUID (flow_id), the function queries the database directly without verifying if the authenticated user owns that flow:
src/backend/base/langflow/helpers/flow.py:399-414
async def get_flow_by_id_or_endpoint_name(flow_id_or_name: str, user_id: str | UUID | None = None) -> FlowRead:
async with session_scope() as session:
try:
flow_id = UUID(flow_id_or_name)
When using UUID, query directly WITHOUT checking user_id
flow = await session.get(Flow, flow_id) # ❌ No user_id check!
except ValueError:
endpoint_name = flow_id_or_name
stmt = select(Flow).where(Flow.endpoint_name == endpoint_name)
Only when using endpoint_name is user_id checked
if user_id:
stmt = stmt.where(Flow.user_id == uuid_user_id)
This function is used by the /api/v1/responses endpoint (defined in src/backend/base/langflow/api/v1/openai_responses.py:589).
PoC (Proof of Concept)
Attacker (user A) with API_KEY_A tries to execute victim (user B)'s flow
curl -X POST "http://localhost:7860/api/v1/responses" \
-H "x-api-key: sk-ATTACKER_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "VICTIM_FLOW_ID",
"input_value": "test",
"stream": false
}'
Returns 200 and executes the victim's flow
Impact
Any authenticated user can:
1. Execute any flow in the system by knowing its flow ID
2. Access potentially sensitive data processed by victim's flows
3. Consume victim's resources
Fixes
Fixed in PR #12832 (fix(security): close IDOR in get_flow_by_id_or_endpoint_name), merged 2026-04-22, released in Langflow 1.9.1.
The helper normalizes user_id once and enforces ownership on both lookup branches (UUID
CSIRTS triage
- What
- An IDOR vulnerability allows authenticated attackers to access another user's flow.
- Who is affected
- Authenticated users of Langflow are affected.
- Urgency
- Remediation is urgent due to active exploitation and high severity.
- Action
- Users should apply the latest security updates to mitigate this vulnerability.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Langflow
Get an email when a new Langflow advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://github.com/advisories/GHSA-qrpv-q767-xqq2
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2026-55255Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 37% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55255 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownexploitedLangflow security advisory (AV26-670)cccs
- high[UPDATE] [high] Langflow: Multiple vulnerabilitiescert-bund
- highexploitedCISA Adds Three Known Exploited Vulnerabilities to Catalogcisa
- criticalexploitedCVE-2026-55255: Langflow Authorization Bypass Through User-Controlled Key Vulnerabilitycisa-kev
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10