Langflow security advisory (AV26-670)
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Serial number: AV26-670 Date: July 8, 2026 On July 7, 2026, Langflow updated a security advisory to address vulnerabilities in the following product: Langflow – versions prior to 1.9.1 On July 7, 2026, Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-55255 to their Known Exploited Vulnerabilities (KEV) Database. The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates, when available. CVE-2026-55255: Langflow: IDOR Vulnerability in /api/v1/responses Endpoint Allows Authenticated Attackers to Access Another User's Flow CISA KEV: CVE-2026-55255
CSIRTS triage
- What
- An IDOR vulnerability in the `/api/v1/responses` endpoint allows authenticated attackers to access another user's flow.
- Who is affected
- Authenticated users of Langflow versions prior to 1.9.1.
- Urgency
- Remediation is urgent as the vulnerability is actively exploited.
- Action
- Users should update to Langflow version 1.9.1 or later.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Langflow
Get an email when a new Langflow advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://cyber.gc.ca/en/alerts-advisories/langflow-security-advisory-av26-670
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2026-55255Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 37% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-55255 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[UPDATE] [high] Langflow: Multiple vulnerabilitiescert-bund
- highexploitedCISA Adds Three Known Exploited Vulnerabilities to Catalogcisa
- criticalexploitedCVE-2026-55255: Langflow Authorization Bypass Through User-Controlled Key Vulnerabilitycisa-kev
- highexploitedGHSA-qrpv-q767-xqq2: Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attacke…ghsa
More from Canadian Centre for Cyber Security
- unknownBitWarden security advisory (AV26-683)2026-07-10
- criticalAL25-007 - Vulnerability impacting Roundcube Webmail – CVE-2025-49113 – Update 12026-07-10
- unknownMicrosoft Edge security advisory (AV26-682)2026-07-10
- criticalBroadcom VMware security advisory (AV26-681)2026-07-10
- unknownDjango security advisory (AV26-084) – Update 12026-07-09