"From what we observed, it’s clear that the threat actor is opportunistic and financially motivated," Sysdig's Threat Research Team wrote after seeing in-the-wild exploitation of a Langflow vulnerability.
CVE-2026-55255: an authorization bypass that exposes other users' flows
The flaw, tracked as CVE-2026-55255, is an Insecure Direct Object Reference (IDOR) in Langflow that allows authenticated attackers to access other users' flows. An attacker can send a crafted request to the /api/v1/responses endpoint containing the victim's UUID (flow_id) and thereby retrieve or act on flows that belong to other users. Successful exploitation can expose sensitive data processed by those flows and allow an attacker to consume the victim's compute and other resources.
CISA places the CVE on the Known Exploited Vulnerabilities catalog and issues a BOD-26-04 deadline
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-55255 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered U.S. Federal Civilian Executive Branch agencies to secure affected assets by Friday under Binding Operational Directive 26-04. CISA warned that "this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," and told stakeholders to evaluate each asset's internet exposure and follow BOD 26-04 patching guidance.
Observed exploitation: code execution, implants, and financial motives
Sysdig's Threat Research Team first saw CVE-2026-55255 exploited in the wild on June 25. The researchers wrote that the exploitation objective was "code execution and second-stage implant delivery (loader/dropper class)." They further concluded the attacker was pursuing two reliable yields from compromised AI hosts: compute (for botnet or implant use) and credentials (LLM/cloud keys), using "cheap, repeatable, low-sophistication tooling."
Related active threats: path traversal, code injection, and prior Langflow entries in KEV
CISA had already added a Langflow entry to its KEV catalog in May 2025 and added a separate code-injection vulnerability (CVE-2026-33017). Since June, attackers have also actively exploited a high-severity Langflow path traversal vulnerability, CVE-2026-5027, to write arbitrary files on exposed servers, according to VulnCheck security researcher Caitlin Condon. Those concurrent exploitations indicate multiple, ongoing targeting patterns against exposed Langflow instances.
How federal agencies, security teams, and AI developers should respond
- Federal agencies: The CISA directive places a near-term, enforceable obligation on U.S. Federal Civilian Executive Branch agencies to patch or mitigate CVE-2026-55255 by the specified Friday under BOD 26-04, and to evaluate internet exposure of affected assets as CISA instructed.
- Security teams: The exploitation observed by Sysdig — focused on code execution and implant delivery — underscores risks beyond data theft, including resource abuse. Detection and patching should be prioritized for exposed Langflow endpoints such as /api/v1/responses, and teams should note that attackers are using low-sophistication tooling to seek compute and LLM/cloud keys.
- AI developers and maintainers using Langflow: The platform's drag-and-drop interface and REST API make it a high-value target; teams running publicly reachable Langflow instances should inventory flows and credentials, and apply fixes for CVE-2026-55255, CVE-2026-5027, and CVE-2026-33017 as appropriate.
Detection remains a challenge: a Picus whitepaper cited in the same reporting notes security teams log 54% of successful attacks and alert on just 14%, arguing that breach-and-attack simulation helps validate SIEM and EDR rules. In this environment — multiple Langflow flaws, clear in-the-wild exploitation, and a CISA-directed deadline — exposed instances and weak patching posture create immediate, measurable risk.
For now, the record in the public reporting shows exploited CVEs, observed attacker behavior, and a hard deadline for federal agencies to act. Whether patching and exposure assessments will reduce the yield attackers seek — compute and credentials — is a near-term test of how quickly operators follow the KEV and BOD 26-04 guidance.




