CVE-2026-55255
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in the /api/v1/responses endpoint allowed an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
Risk Assessment
This vulnerability could lead to unauthorized access to other users' data and operations, posing a serious threat to data privacy and security within the organization.
Recommendation
It is recommended to upgrade to version 1.9.2 or later to mitigate this vulnerability and to conduct a security audit of the application.
Original NVD description (English source)
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.

