Langflow, an open-source platform for building AI agents and workflows, has been hit by a wave of critical security...
Langflow, an open-source platform for building AI agents and workflows, has been hit by a wave of critical security advisories in June-July 2026, including multiple remote code execution (RCE), insecure direct object reference (IDOR), and path traversal vulnerabilities.
confidence score
Strong evidence: 3 independent source classes support this read.
signal brief
Langflow, an open-source platform for building AI agents and workflows, has been hit by a wave of critical security advisories in June-July 2026, including multiple remote code execution (RCE), insecure direct object reference (IDOR), and path traversal vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added one vulnerability (CVE-2026-55255) to its Known Exploited Vulnerabilities (KEV) catalog on July 7, 2026, with a due date of July 10, 2026, for federal agencies to patch. The KEV entry describes an authorization bypass that allows an authenticated attacker to execute any flow belonging to another user.
Beyond the CISA-highlighted issue, OSV.dev lists at least 14 distinct advisories affecting Langflow versions prior to 1.9.x or earlier, including unauthenticated RCE in Shareable Playgrounds (CVE-2026-48519), arbitrary file read (CVE-2026-48520), unauthenticated denial-of-service (CVE-2026-55446, CVE-2026-55450), and multiple IDOR vulnerabilities in monitor and responses APIs (CVE-2026-33760, CVE-2026-55255). Several of these are fixed in versions 1.9.0, 1.9.1, 1.9.2, or 1.10.0, but the rapid succession of patches and the severity of exploits (including RCE via CSV Agent in PYSEC-2026-376) raise serious concerns about the platform's security posture.
What the sources said:
- CISA KEV entry (CVE-2026-55255): "Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request." Source
- OSV advisory for CVE-2026-48519 (RCE in Shareable Playground): "The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2." Source
- OSV advisory for CVE-2026-55450: "Unauthenticated users can upload any amount of data to the server without any limitations ... can lead to space exhaustion on the server." Source
The concentration of critical and remotely exploitable vulnerabilities suggests a systemic security weakness in Langflow's codebase, particularly in authentication and authorization checks, as well as in sandboxing user-provided code in the "Shareable Playground" feature. The CISA KEV inclusion and multiple patches in close succession indicate an urgent need for users to update and for the project to overhaul its security review processes. This will likely erode enterprise trust, slow adoption, and could lead to downstream supply chain risks for organizations embedding Langflow.
source data used
“CVE: CVE-2026-55255 Vendor/project: Langflow Product: Langflow Known ransomware campaign use: Unknown Due date: 2026-07-10 CWE: CWE-639 Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to...”
“A Python package with a built-in web application”
“Aliases: CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint”
“Aliases: CVE-2026-55423, PYSEC-2026-222 Langflow: Logout button does not clear session”
“Aliases: CVE-2026-33760, PYSEC-2026-242 Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints”
“Aliases: CVE-2026-55447, PYSEC-2026-378 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-55255, PYSEC-2026-221 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow”
“Aliases: CVE-2026-55446, PYSEC-2026-223 Langflow: Unauthenticated DoS through multipart form boundary file upload”
“Aliases: CVE-2026-48520, PYSEC-2026-244 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read”
“Aliases: CVE-2026-48519, PYSEC-2026-243 Langflow: Unauthenticated RCE in Shareable Playgrounds”
“Aliases: CVE-2026-55450, PYSEC-2026-224 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak”
“Aliases: CVE-2024-9277, GHSA-355v-2rjx-fpx7 Inefficient Regular Expression Complexity in langflow”
“Aliases: CVE-2025-68477, GHSA-5993-7p27-66g5 Langflow vulnerable to Server-Side Request Forgery”
“Aliases: CVE-2024-48061, GHSA-5p5r-57fx-pmfr Langflow vulnerable to remote code execution”
“Aliases: CVE-2026-21445, GHSA-c5cp-vx83-jhqx Langflow Missing Authentication on Critical API Endpoints”
“Aliases: CVE-2026-0770, GHSA-g22f-v6f7-2hrh Langflow affected by Remote Code Execution via validate_code() exec()”
“Aliases: CVE-2026-55255, GHSA-qrpv-q767-xqq2 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow...”
“Aliases: CVE-2026-55423, GHSA-7hw8-6q6r-4276 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly...”
“Aliases: CVE-2026-55446, GHSA-qwqc-p3q8-wcg9 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form...”
“Aliases: CVE-2026-55450, GHSA-x223-p2gf-v735 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any...”
“Aliases: CVE-2026-33760, GHSA-9c59-2mvc-vfr8 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages,...”
“Aliases: CVE-2026-48519, GHSA-v5ff-9q35-q26f Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by...”
“Aliases: CVE-2026-48520, GHSA-rcjh-r59h-gq37 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact...”
“Aliases: CVE-2026-27966, GHSA-3645-fxcv-hqr4 Langflow has Remote Code Execution in CSV Agent”
“Aliases: CVE-2026-42048, GHSA-9whx-c884-c68q Langflow Knowledge Bases API is Vulnerable to Path Traversal”
“Aliases: CVE-2026-55447, GHSA-ccv6-r384-xp75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-33017, GHSA-vwmf-pq79-vjvx Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.