RESEARCHERS have uncovered three critical vulnerabilities in the Langflow AI workflow platform that enable attackers to steal data, execute code and crash services, prompting an urgent call for administrators to patch. The flaws affect all releases before version 1.9.2 and were disclosed through the project’s security advisory page. Users of the open‑source tool are advised to upgrade immediately to prevent compromise.
The most severe flaw, tracked as CVE-2026-55255, is an Insecure Direct Object Reference issue with a CVSS score of 9.9 that allows an attacker to hijack flows belonging to other users because the application fails to verify the owner’s identifier. Exploiting this bug requires only knowledge of a target flow’s identifier and can be carried out remotely without authentication. Details are available in the project’s security advisory here.
A second vulnerability, CVE-2026-55447, scores CVSS 9.6 and stems from improper handling of TAR uploads, allowing an attacker to read arbitrary files and potentially achieve remote code execution which could expose Langflow’s secret keys. The third issue, CVE-2026-55450, carries a CVSS of 9.3 and results from missing authentication on the file upload endpoint, letting unauthenticated users send unlimited data that fills disk space and triggers a denial of service. A public proof of concept for the upload flaw has been released, as described in the detailed write‑up here and the corresponding GHSA advisory here.
No specific threat actor has been linked to these bugs so far, but the availability of exploit code lowers the barrier for opportunistic attackers seeking to compromise AI workflows. An attacker who chains the IDOR and file‑read flaws could gain access to sensitive training data, model weights or API tokens stored within the platform. The denial‑of‑service vector could be used to disrupt services that rely on Langflow for orchestrating machine learning pipelines.
Administrators should prioritize upgrading to Langflow version 1.9.1 or 1.9.2, which introduces proper user ID validation, checks the contents of TAR archives before extraction and enforces authentication plus size limits on file uploads. Instances that cannot be patched immediately should be placed behind a network access control list that limits connectivity to known administration addresses. Monitoring logs for unexpected flow modifications, large upload requests or repeated access to obscure file paths can help detect active exploitation attempts.
Maintaining an inventory of deployed Langflow instances, subscribing to the project’s security announcements and applying the principle of least privilege to service accounts will reduce the chance that similar flaws succeed. Regularly reviewing third‑party components and staying current with patches remains the most effective defence against emerging threats in open‑source AI tooling.