Langflow < 1.9.2 - Authenticated Insecure Direct Object Reference
Title source: manualExploitation Summary
CVE-2026-55255 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 7, 2026. EIP tracks 2 public exploits from researchers including HORKimhab, rootdirective-sec.
AI-analyzed exploit summary The repository contains a markdown file describing an IDOR vulnerability in Langflow's `/api/v1/responses` endpoint but provides no actual exploit code. Instead, it links to external resources (GitHub repo and encrypted archive) without technical details or proof of concept.
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.1.
Exploits (2)
The repository contains a markdown file describing an IDOR vulnerability in Langflow's `/api/v1/responses` endpoint but provides no actual exploit code. Instead, it links to external resources (GitHub repo and encrypted archive) without technical details or proof of concept.
This repository contains a functional exploit PoC for CVE-2026-55255, an IDOR (Insecure Direct Object Reference) vulnerability in Langflow. The exploit demonstrates cross-user flow execution by allowing an attacker to execute flows owned by other users via crafted API requests.
References (5)
Scores
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L