Vulnerability-Lookup

CVE-2026-55255 (GCVE-0-2026-55255)

Vulnerability from cvelistv5 – Published: 2026-06-23 16:28 – Updated: 2026-06-24 03:56

Title

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.

Severity

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/langflow-ai/langflow/security/…	x_refsource_CONFIRM
https://github.com/langflow-ai/langflow/pull/12832	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
langflow-ai	langflow	Affected: < 1.9.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55255",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T03:56:23.082Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim\u0027s flow ID in the request. This vulnerability is fixed in 1.9.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T16:28:20.985Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2"
        },
        {
          "name": "https://github.com/langflow-ai/langflow/pull/12832",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langflow-ai/langflow/pull/12832"
        }
      ],
      "source": {
        "advisory": "GHSA-qrpv-q767-xqq2",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User\u0027s Flow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55255",
    "datePublished": "2026-06-23T16:28:20.985Z",
    "dateReserved": "2026-06-16T16:44:00.625Z",
    "dateUpdated": "2026-06-24T03:56:23.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55255",
      "date": "2026-06-27",
      "epss": "0.00233",
      "percentile": "0.14129"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55255\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T17:32:36.616849Z\"}}}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T17:32:47.016Z\"}}], \"cna\": {\"title\": \"Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User\u0027s Flow\", \"source\": {\"advisory\": \"GHSA-qrpv-q767-xqq2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.2\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langflow-ai/langflow/pull/12832\", \"name\": \"https://github.com/langflow-ai/langflow/pull/12832\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim\u0027s flow ID in the request. This vulnerability is fixed in 1.9.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T16:28:20.985Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55255\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-24T03:56:23.082Z\", \"dateReserved\": \"2026-06-16T16:44:00.625Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T16:28:20.985Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-QRPV-Q767-XQQ2

Vulnerability from github – Published: 2026-06-19 21:16 – Updated: 2026-06-19 21:16

Summary

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

Details

Summary

Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.

Details

The vulnerability exists in the get_flow_by_id_or_endpoint_name helper function in src/backend/base/langflow/helpers/flow.py (lines 399-414).

When a flow is accessed via UUID (flow_id), the function queries the database directly without verifying if the authenticated user owns that flow:

# src/backend/base/langflow/helpers/flow.py:399-414
async def get_flow_by_id_or_endpoint_name(flow_id_or_name: str, user_id: str | UUID | None = None) -> FlowRead:
    async with session_scope() as session:
        try:
            flow_id = UUID(flow_id_or_name)
            # When using UUID, query directly WITHOUT checking user_id
            flow = await session.get(Flow, flow_id)  # ❌ No user_id check!
        except ValueError:
            endpoint_name = flow_id_or_name
            stmt = select(Flow).where(Flow.endpoint_name == endpoint_name)
            # Only when using endpoint_name is user_id checked
            if user_id:
                stmt = stmt.where(Flow.user_id == uuid_user_id)

This function is used by the /api/v1/responses endpoint (defined in src/backend/base/langflow/api/v1/openai_responses.py:589).

PoC (Proof of Concept)

# Attacker (user A) with API_KEY_A tries to execute victim (user B)'s flow
curl -X POST "http://localhost:7860/api/v1/responses" \
  -H "x-api-key: sk-ATTACKER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "VICTIM_FLOW_ID",
    "input_value": "test",
    "stream": false
  }'
# Returns 200 and executes the victim's flow

Impact

Any authenticated user can: 1. Execute any flow in the system by knowing its flow ID 2. Access potentially sensitive data processed by victim's flows 3. Consume victim's resources

Fixes

Fixed in PR #12832 (fix(security): close IDOR in get_flow_by_id_or_endpoint_name), merged 2026-04-22, released in Langflow 1.9.1.

The helper normalizes user_id once and enforces ownership on both lookup branches (UUID and endpoint_name):

flow_id = UUID(flow_id_or_name)
flow = await session.get(Flow, flow_id)
if flow is not None and uuid_user_id is not None and flow.user_id != uuid_user_id:
    flow = None  # cross-user lookup falls through to the shared 404

Key points: - Cross-user lookups return 404 (not 403), so flow existence is not disclosed via a 403-vs-404 oracle. - /api/v1/responses and /api/v2/workflow pass user_id explicitly, so fixing the helper closes them directly; the /api/v1/run* routes were additionally moved from a bare Depends(get_flow_by_id_or_endpoint_name) to auth-aware wrapper dependencies (defense in depth). - A malformed user_id now fails closed (404 instead of a raw 500). - Webhook routes intentionally keep the unscoped lookup (public by design / explicit ownership check elsewhere). - Regression tests cover the cross-user UUID case and reproduce the original PoC against /api/v1/responses.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability: * @yzeirnials * @johnatzeropath * @LeftenantZero * @Zwique

Severity

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55255"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:16:46Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nInsecure Direct Object Reference (IDOR) vulnerability in `/api/v1/responses` endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim\u0027s flow ID in the request.\n\n## Details\n\nThe vulnerability exists in the `get_flow_by_id_or_endpoint_name` helper function in [`src/backend/base/langflow/helpers/flow.py` (lines 399-414)](https://github.com/langflow-ai/langflow/blob/v1.9.0/src/backend/base/langflow/helpers/flow.py#L399C1-L414C67).\n\nWhen a flow is accessed via UUID (flow_id), the function queries the database directly without verifying if the authenticated user owns that flow:\n\n```python\n# src/backend/base/langflow/helpers/flow.py:399-414\nasync def get_flow_by_id_or_endpoint_name(flow_id_or_name: str, user_id: str | UUID | None = None) -\u003e FlowRead:\n    async with session_scope() as session:\n        try:\n            flow_id = UUID(flow_id_or_name)\n            # When using UUID, query directly WITHOUT checking user_id\n            flow = await session.get(Flow, flow_id)  # \u274c No user_id check!\n        except ValueError:\n            endpoint_name = flow_id_or_name\n            stmt = select(Flow).where(Flow.endpoint_name == endpoint_name)\n            # Only when using endpoint_name is user_id checked\n            if user_id:\n                stmt = stmt.where(Flow.user_id == uuid_user_id)\n```\n\nThis function is used by the `/api/v1/responses` endpoint (defined in [`src/backend/base/langflow/api/v1/openai_responses.py:589`](https://github.com/langflow-ai/langflow/blob/v1.9.0/src/backend/base/langflow/api/v1/openai_responses.py#L589)).\n\n## PoC (Proof of Concept)\n\n```bash\n# Attacker (user A) with API_KEY_A tries to execute victim (user B)\u0027s flow\ncurl -X POST \"http://localhost:7860/api/v1/responses\" \\\n  -H \"x-api-key: sk-ATTACKER_API_KEY\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\n    \"model\": \"VICTIM_FLOW_ID\",\n    \"input_value\": \"test\",\n    \"stream\": false\n  }\u0027\n# Returns 200 and executes the victim\u0027s flow\n```\n\n## Impact\n\nAny authenticated user can:\n1. Execute any flow in the system by knowing its flow ID\n2. Access potentially sensitive data processed by victim\u0027s flows\n3. Consume victim\u0027s resources\n\n## Fixes\n\nFixed in **PR #12832** (`fix(security): close IDOR in get_flow_by_id_or_endpoint_name`), merged 2026-04-22, released in **Langflow 1.9.1**.\n\nThe helper normalizes `user_id` once and enforces ownership on **both** lookup branches (UUID *and* `endpoint_name`):\n\n```python\nflow_id = UUID(flow_id_or_name)\nflow = await session.get(Flow, flow_id)\nif flow is not None and uuid_user_id is not None and flow.user_id != uuid_user_id:\n    flow = None  # cross-user lookup falls through to the shared 404\n```\n\nKey points:\n- Cross-user lookups return **404** (not 403), so flow existence is not disclosed via a 403-vs-404 oracle.\n- `/api/v1/responses` and `/api/v2/workflow` pass `user_id` explicitly, so fixing the helper closes them directly; the `/api/v1/run*` routes were additionally moved from a bare `Depends(get_flow_by_id_or_endpoint_name)` to auth-aware wrapper dependencies (defense in depth).\n- A malformed `user_id` now fails closed (404 instead of a raw 500).\n- Webhook routes intentionally keep the unscoped lookup (public by design / explicit ownership check elsewhere).\n- Regression tests cover the cross-user UUID case and reproduce the original PoC against `/api/v1/responses`.\n\n\n\n\n\n## Acknowledgements\n\nThanks to the security researchers who responsibly disclosed this vulnerability:\n* @yzeirnials\n* @johnatzeropath\n* @LeftenantZero\n* @Zwique",
  "id": "GHSA-qrpv-q767-xqq2",
  "modified": "2026-06-19T21:16:46Z",
  "published": "2026-06-19T21:16:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/12832"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User\u0027s Flow"
}

PYSEC-2026-221

Vulnerability from pysec - Published: 2026-06-23 17:17 - Updated: 2026-06-25 23:10

Details

Severity

9.9 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Impacted products

Name	purl
langflow	pkg:pypi/langflow

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow",
        "purl": "pkg:pypi/langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.31",
        "0.0.32",
        "0.0.33",
        "0.0.40",
        "0.0.44",
        "0.0.45",
        "0.0.46",
        "0.0.52",
        "0.0.53",
        "0.0.54",
        "0.0.55",
        "0.0.56",
        "0.0.57",
        "0.0.58",
        "0.0.61",
        "0.0.62",
        "0.0.63",
        "0.0.64",
        "0.0.65",
        "0.0.66",
        "0.0.67",
        "0.0.68",
        "0.0.69",
        "0.0.70",
        "0.0.71",
        "0.0.72",
        "0.0.73",
        "0.0.74",
        "0.0.75",
        "0.0.76",
        "0.0.78",
        "0.0.79",
        "0.0.80",
        "0.0.81",
        "0.0.83",
        "0.0.84",
        "0.0.85",
        "0.0.86",
        "0.0.87",
        "0.0.88",
        "0.0.89",
        "0.1.0",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.2.0",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.4.0",
        "0.4.1",
        "0.4.10",
        "0.4.11",
        "0.4.12",
        "0.4.14",
        "0.4.15",
        "0.4.16",
        "0.4.17",
        "0.4.18",
        "0.4.19",
        "0.4.2",
        "0.4.20",
        "0.4.21",
        "0.4.3",
        "0.4.4",
        "0.4.5",
        "0.4.6",
        "0.4.7",
        "0.4.8",
        "0.4.9",
        "0.5.0",
        "0.5.0a0",
        "0.5.0a1",
        "0.5.0a2",
        "0.5.0a3",
        "0.5.0a4",
        "0.5.0a5",
        "0.5.0a6",
        "0.5.0b0",
        "0.5.0b2",
        "0.5.0b3",
        "0.5.0b4",
        "0.5.0b5",
        "0.5.0b6",
        "0.5.1",
        "0.5.10",
        "0.5.11",
        "0.5.12",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.5.7",
        "0.5.8",
        "0.5.9",
        "0.6.0",
        "0.6.0rc1",
        "0.6.1",
        "0.6.10",
        "0.6.11",
        "0.6.12",
        "0.6.14",
        "0.6.15",
        "0.6.16",
        "0.6.17",
        "0.6.18",
        "0.6.19",
        "0.6.2",
        "0.6.3",
        "0.6.3a0",
        "0.6.3a1",
        "0.6.3a2",
        "0.6.3a3",
        "0.6.3a4",
        "0.6.3a5",
        "0.6.3a6",
        "0.6.3a7",
        "0.6.4",
        "0.6.4a0",
        "0.6.4a1",
        "0.6.5",
        "0.6.5a0",
        "0.6.5a1",
        "0.6.5a10",
        "0.6.5a11",
        "0.6.5a12",
        "0.6.5a13",
        "0.6.5a2",
        "0.6.5a3",
        "0.6.5a4",
        "0.6.5a5",
        "0.6.5a6",
        "0.6.5a7",
        "0.6.5a8",
        "0.6.5a9",
        "0.6.6",
        "0.6.7",
        "0.6.7a1",
        "0.6.7a2",
        "0.6.7a3",
        "0.6.7a5",
        "0.6.8",
        "0.6.9",
        "1.0.0",
        "1.0.0a0",
        "1.0.0a1",
        "1.0.0a10",
        "1.0.0a11",
        "1.0.0a12",
        "1.0.0a13",
        "1.0.0a14",
        "1.0.0a15",
        "1.0.0a17",
        "1.0.0a18",
        "1.0.0a19",
        "1.0.0a2",
        "1.0.0a20",
        "1.0.0a21",
        "1.0.0a22",
        "1.0.0a23",
        "1.0.0a24",
        "1.0.0a25",
        "1.0.0a26",
        "1.0.0a27",
        "1.0.0a28",
        "1.0.0a29",
        "1.0.0a3",
        "1.0.0a30",
        "1.0.0a31",
        "1.0.0a32",
        "1.0.0a33",
        "1.0.0a34",
        "1.0.0a35",
        "1.0.0a36",
        "1.0.0a37",
        "1.0.0a38",
        "1.0.0a39",
        "1.0.0a4",
        "1.0.0a40",
        "1.0.0a41",
        "1.0.0a42",
        "1.0.0a43",
        "1.0.0a44",
        "1.0.0a45",
        "1.0.0a46",
        "1.0.0a47",
        "1.0.0a48",
        "1.0.0a49",
        "1.0.0a5",
        "1.0.0a50",
        "1.0.0a51",
        "1.0.0a52",
        "1.0.0a53",
        "1.0.0a55",
        "1.0.0a56",
        "1.0.0a57",
        "1.0.0a58",
        "1.0.0a59",
        "1.0.0a6",
        "1.0.0a60",
        "1.0.0a61",
        "1.0.0a7",
        "1.0.0a8",
        "1.0.0a9",
        "1.0.0rc0",
        "1.0.0rc1",
        "1.0.1",
        "1.0.10",
        "1.0.11",
        "1.0.12",
        "1.0.13",
        "1.0.14",
        "1.0.15",
        "1.0.16",
        "1.0.17",
        "1.0.18",
        "1.0.19",
        "1.0.19.post1",
        "1.0.19.post2",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.0.9",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.4.post1",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.5.0",
        "1.5.0.post1",
        "1.5.0.post2",
        "1.5.1",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.0rc0",
        "1.8.0rc1",
        "1.8.0rc2",
        "1.8.0rc3",
        "1.8.0rc4",
        "1.8.0rc5",
        "1.8.0rc6",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.3rc0",
        "1.8.4",
        "1.9.0",
        "1.9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55255",
    "GHSA-qrpv-q767-xqq2"
  ],
  "details": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim\u0027s flow ID in the request. This vulnerability is fixed in 1.9.2.",
  "id": "PYSEC-2026-221",
  "modified": "2026-06-25T23:10:36.509788Z",
  "published": "2026-06-23T17:17:08.050Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/langflow-ai/langflow/pull/12832"
    },
    {
      "type": "EVIDENCE",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-qrpv-q767-xqq2"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-55255 (GCVE-0-2026-55255)

GHSA-QRPV-Q767-XQQ2

Summary

Details

PoC (Proof of Concept)

Impact

Fixes

Acknowledgements

PYSEC-2026-221

Tags

Sightings

Nomenclature