A cluster of severe security vulnerabilities in Langflow, an open-source AI workflow tool, has been disclosed in...
A cluster of severe security vulnerabilities in Langflow, an open-source AI workflow tool, has been disclosed in June-July 2026, including a CISA Known Exploited Vulnerability (CVE-2026-55255) added to the KEV catalog on July 7, 2026, with a due date of July 10, 2026 for mitigation.
confidence score
Strong evidence: 3 independent source classes support this read.
signal brief
A cluster of severe security vulnerabilities in Langflow, an open-source AI workflow tool, has been disclosed in June-July 2026, including a CISA Known Exploited Vulnerability (CVE-2026-55255) added to the KEV catalog on July 7, 2026, with a due date of July 10, 2026 for mitigation. The vulnerabilities span Insecure Direct Object Reference (IDOR), Remote Code Execution (RCE), path traversal, unauthenticated file upload leading to DoS, arbitrary file read, and session management issues. Specifically, CVE-2026-55255 allows an authenticated attacker to execute any flow belonging to another user by manipulating the flow ID. Several RCE vulnerabilities (CVE-2026-48519, CVE-2026-55447, CVE-2026-55450) permit unauthenticated attackers to execute arbitrary code on the server, particularly through the Shareable Playground feature. Additionally, CVE-2026-42867 and CVE-2026-42048 enable path traversal in the Knowledge Bases API, leading to arbitrary file read. These issues affect versions prior to 1.9.x/1.10.x. The breadth and severity of the vulnerabilities, combined with CISA's active exploitation warning, represent a significant trust hit for Langflow. Enterprise adopters may delay deployments or demand security hardening, potentially slowing Langflow's adoption growth.
What the sources said:
- CISA KEV entry: "Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request." Source
- PYSEC-2026-243: "Shareable Playground...contains a critical RCE vulnerability...allows for providing arbitrary custom Python code as the nodes code." Source
- PYSEC-2026-378: "Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit." Source
- PYSEC-2026-242: "Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID." Source
source data used
“CVE: CVE-2026-55255 Vendor/project: Langflow Product: Langflow Known ransomware campaign use: Unknown Due date: 2026-07-10 CWE: CWE-639 Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to...”
“A Python package with a built-in web application”
“Aliases: CVE-2026-42867 Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint”
“Aliases: CVE-2026-55423, PYSEC-2026-222 Langflow: Logout button does not clear session”
“Aliases: CVE-2026-33760, PYSEC-2026-242 Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints”
“Aliases: CVE-2026-55447, PYSEC-2026-378 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-55255, PYSEC-2026-221 Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow”
“Aliases: CVE-2026-55446, PYSEC-2026-223 Langflow: Unauthenticated DoS through multipart form boundary file upload”
“Aliases: CVE-2026-48520, PYSEC-2026-244 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read”
“Aliases: CVE-2026-48519, PYSEC-2026-243 Langflow: Unauthenticated RCE in Shareable Playgrounds”
“Aliases: CVE-2026-55450, PYSEC-2026-224 Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak”
“Aliases: CVE-2024-9277, GHSA-355v-2rjx-fpx7 Inefficient Regular Expression Complexity in langflow”
“Aliases: CVE-2025-68477, GHSA-5993-7p27-66g5 Langflow vulnerable to Server-Side Request Forgery”
“Aliases: CVE-2024-48061, GHSA-5p5r-57fx-pmfr Langflow vulnerable to remote code execution”
“Aliases: CVE-2026-21445, GHSA-c5cp-vx83-jhqx Langflow Missing Authentication on Critical API Endpoints”
“Aliases: CVE-2026-0770, GHSA-g22f-v6f7-2hrh Langflow affected by Remote Code Execution via validate_code() exec()”
“Aliases: CVE-2026-55255, GHSA-qrpv-q767-xqq2 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow...”
“Aliases: CVE-2026-55423, GHSA-7hw8-6q6r-4276 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.7.0, the logout button does not clear the session. The previous user stays logged in unless another user explicitly...”
“Aliases: CVE-2026-55446, GHSA-qwqc-p3q8-wcg9 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form...”
“Aliases: CVE-2026-55450, GHSA-x223-p2gf-v735 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any...”
“Aliases: CVE-2026-33760, GHSA-9c59-2mvc-vfr8 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages,...”
“Aliases: CVE-2026-48519, GHSA-v5ff-9q35-q26f Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by...”
“Aliases: CVE-2026-48520, GHSA-rcjh-r59h-gq37 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact...”
“Aliases: CVE-2026-27966, GHSA-3645-fxcv-hqr4 Langflow has Remote Code Execution in CSV Agent”
“Aliases: CVE-2026-42048, GHSA-9whx-c884-c68q Langflow Knowledge Bases API is Vulnerable to Path Traversal”
“Aliases: CVE-2026-55447, GHSA-ccv6-r384-xp75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit”
“Aliases: CVE-2026-33017, GHSA-vwmf-pq79-vjvx Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint”
Decision support, not stock advice. This signal is research with cited evidence — not a recommendation to buy, sell, or hold any security.