← Back to feed

Langflow CVE-2026-55255 IDOR Added to CISA KEV: Cross-Tenant Flow Hijack and leak api keys Credential Theft

Date: 2026-07-12
Tags: llmjacking, malware, prompt-injection

Executive Summary

CISA added Langflow CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on 2026-07-07 after Sysdig documented in-the-wild exploitation combining this cross-tenant IDOR with CVE-2026-33017 RCE against internet-exposed Langflow. Operators enumerate /api/v1/flows/, then POST /api/v1/responses with stolen flow UUIDs and input leak api keys to coerce victim flows into surfacing embedded LLM and cloud credentials. Upgrade Langflow to 1.9.1 or later, remove internet exposure of Langflow control planes, and hunt for source IP 45.207.216.55 and second-stage URL 45.207.216.55:8084/slt.

Campaign Summary

FieldDetail
Campaign / MalwareLangflow CVE-2026-55255 IDOR plus CVE-2026-33017 RCE credential and implant campaign
Actor / AttributionUnknown opportunistic financially motivated operator observed by Sysdig (confidence: none for named actor)
TargetInternet-exposed and multi-tenant Langflow AI agent/RAG deployments holding embedded provider and cloud secrets
VectorAuthenticated IDOR on POST /api/v1/responses after flow UUID disclosure via GET /api/v1/flows/; parallel unauthenticated RCE via CVE-2026-33017
Statusactive
First Observed2026-06-25 exploitation; CISA KEV listing 2026-07-07

Detailed Findings

According to Sysdig Threat Research Team, CVE-2026-55255 is an insecure direct object reference in Langflow helpers/flow.py get_flow_by_id_or_endpoint_name: when a flow is resolved by UUID on the OpenAI-Responses-compatible POST /api/v1/responses endpoint, the lookup omits a user_id ownership check, so any authenticated caller can execute another user's flow. The endpoint_name resolution path enforces ownership; only the UUID path is vulnerable. The flaw was fixed in PR 12832 / Langflow 1.9.1.

Sysdig reported that on 2026-06-25 operator 45.207.216.55 returned to a previously probed instance, ran auto_login and user enumeration, listed flows via GET /api/v1/flows/, then within twenty seconds issued CVE-2026-55255 IDOR requests with input leak api keys against enumerated flow UUIDs. The same operator ran multiple CVE-2026-33017 RCE waves that injected Langflow custom components shelling out to curl or wget against http://45.207.216.55:8084/slt piped to sh, with execution marker /tmp/lang_pwn. Sysdig assessed no evidence of an agentic LLM-driven operator; behavior matched a scripted playbook.

Help Net Security reported that CISA added CVE-2026-55255 to KEV on 2026-07-07 with a federal mitigation deadline of 2026-07-10, citing Sysdig observation of active targeting nearly two weeks earlier. Sysdig noted that on a single-tenant host the unauthenticated RCE is a practical superset of IDOR capability, which explains heavier 33017 exploitation, while the IDOR matters most in multi-tenant or managed Langflow where RCE is sandboxed per tenant and the IDOR crosses tenants quietly through the application path.

MITRE ATT&CK Mapping

TechniqueIDContext
Exploit Public-Facing ApplicationT1190CVE-2026-55255 IDOR and CVE-2026-33017 RCE against exposed Langflow
Unsecured CredentialsT1552Extraction of LLM provider keys, cloud credentials, and database secrets from flows
Command and Scripting InterpreterT1059RCE payload shells out to curl/wget pipe to sh for second stage
Ingress Tool TransferT1105Download of second-stage loader from attacker-controlled host:8084/slt
Resource HijackingT1496Monetization via stolen AI/cloud credentials and host compute enrollment

IOCs

Domains

No domain IOCs published by source

Full URL Paths

45.207.216.55:8084/slt

Splunk Format

"45.207.216.55" OR "45.207.216.55:8084/slt" OR "/tmp/lang_pwn" OR "leak api keys"

File Hashes

No hash IOCs published by source

Detection Recommendations

Hunt proxy, WAF, and application logs for POST /api/v1/responses where model is a flow UUID not owned by the authenticated user, especially when input contains leak api keys. Alert on GET /api/v1/flows/ followed closely by /responses calls from the same source. Detect POST /api/v1/build_public_tmp/*/flow with outbound curl or wget to non-allowlisted hosts. Block and investigate 45.207.216[.]55 and JA4 fingerprint t13i1f0a00_e8f1e7e78f70_1f22a2ca17c4 if seen in Sysdig telemetry. Search hosts for /tmp/lang_pwn. Patch to Langflow 1.9.1+, disable internet exposure of Langflow APIs, require strong auth, rotate any LLM or cloud keys stored in flows on exposed instances, and egress-allowlist AI orchestration hosts to approved provider endpoints only.

References