CISA has added CVE‑2026-55255 to its Known Exploited Vulnerabilities catalogue, affecting the Langflow product from vendor Langflow. The vulnerability is an authorization bypass through a user‑controlled key that lets an authenticated attacker run any flow belonging to another user by supplying the victim’s flow ID in a request.
The flaw is an authorization bypass that can be exploited over the network after authentication, allowing arbitrary flow execution and potential data exposure or manipulation. It carries a CVSS v3.1 base score of 9.9, rating it as critical. A patch is available from the vendor, and advisory details are published in the GitHub security advisory GHSA-qrpv-q767-xqq2.
Because the entry appears in the KEV catalogue, active exploitation has been confirmed in the wild; there is no publicly known link to ransomware campaigns at this time. CISA has set a remediation deadline of 10 July 2026 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA’s required action is: “Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.” While the directive binds FCEB agencies, all organisations should review their exposure to Langflow and apply the vendor’s patch or mitigations as soon as practicable.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-55255 and the CISA KEV catalogue.