Langflow CVE-2026-55255 IDOR Added to CISA KEV: Cross-Tenant Flow Hijack and leak api keys Credential Theft
Date: 2026-07-12
Tags: llmjacking, malware, prompt-injection
Executive Summary
CISA added Langflow CVE-2026-55255 to the Known Exploited Vulnerabilities catalog on 2026-07-07 after Sysdig documented in-the-wild exploitation combining this cross-tenant IDOR with CVE-2026-33017 RCE against internet-exposed Langflow. Operators enumerate /api/v1/flows/, then POST /api/v1/responses with stolen flow UUIDs and input leak api keys to coerce victim flows into surfacing embedded LLM and cloud credentials. Upgrade Langflow to 1.9.1 or later, remove internet exposure of Langflow control planes, and hunt for source IP 45.207.216.55 and second-stage URL 45.207.216.55:8084/slt.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Langflow CVE-2026-55255 IDOR plus CVE-2026-33017 RCE credential and implant campaign |
| Actor / Attribution | Unknown opportunistic financially motivated operator observed by Sysdig (confidence: none for named actor) |
| Target | Internet-exposed and multi-tenant Langflow AI agent/RAG deployments holding embedded provider and cloud secrets |
| Vector | Authenticated IDOR on POST /api/v1/responses after flow UUID disclosure via GET /api/v1/flows/; parallel unauthenticated RCE via CVE-2026-33017 |
| Status | active |
| First Observed | 2026-06-25 exploitation; CISA KEV listing 2026-07-07 |
Detailed Findings
According to Sysdig Threat Research Team, CVE-2026-55255 is an insecure direct object reference in Langflow helpers/flow.py get_flow_by_id_or_endpoint_name: when a flow is resolved by UUID on the OpenAI-Responses-compatible POST /api/v1/responses endpoint, the lookup omits a user_id ownership check, so any authenticated caller can execute another user's flow. The endpoint_name resolution path enforces ownership; only the UUID path is vulnerable. The flaw was fixed in PR 12832 / Langflow 1.9.1.
Sysdig reported that on 2026-06-25 operator 45.207.216.55 returned to a previously probed instance, ran auto_login and user enumeration, listed flows via GET /api/v1/flows/, then within twenty seconds issued CVE-2026-55255 IDOR requests with input leak api keys against enumerated flow UUIDs. The same operator ran multiple CVE-2026-33017 RCE waves that injected Langflow custom components shelling out to curl or wget against http://45.207.216.55:8084/slt piped to sh, with execution marker /tmp/lang_pwn. Sysdig assessed no evidence of an agentic LLM-driven operator; behavior matched a scripted playbook.
Help Net Security reported that CISA added CVE-2026-55255 to KEV on 2026-07-07 with a federal mitigation deadline of 2026-07-10, citing Sysdig observation of active targeting nearly two weeks earlier. Sysdig noted that on a single-tenant host the unauthenticated RCE is a practical superset of IDOR capability, which explains heavier 33017 exploitation, while the IDOR matters most in multi-tenant or managed Langflow where RCE is sandboxed per tenant and the IDOR crosses tenants quietly through the application path.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | CVE-2026-55255 IDOR and CVE-2026-33017 RCE against exposed Langflow |
| Unsecured Credentials | T1552 | Extraction of LLM provider keys, cloud credentials, and database secrets from flows |
| Command and Scripting Interpreter | T1059 | RCE payload shells out to curl/wget pipe to sh for second stage |
| Ingress Tool Transfer | T1105 | Download of second-stage loader from attacker-controlled host:8084/slt |
| Resource Hijacking | T1496 | Monetization via stolen AI/cloud credentials and host compute enrollment |
IOCs
Domains
No domain IOCs published by source
Full URL Paths
45.207.216.55:8084/slt
Splunk Format
"45.207.216.55" OR "45.207.216.55:8084/slt" OR "/tmp/lang_pwn" OR "leak api keys"
File Hashes
No hash IOCs published by source
Detection Recommendations
Hunt proxy, WAF, and application logs for POST /api/v1/responses where model is a flow UUID not owned by the authenticated user, especially when input contains leak api keys. Alert on GET /api/v1/flows/ followed closely by /responses calls from the same source. Detect POST /api/v1/build_public_tmp/*/flow with outbound curl or wget to non-allowlisted hosts. Block and investigate 45.207.216[.]55 and JA4 fingerprint t13i1f0a00_e8f1e7e78f70_1f22a2ca17c4 if seen in Sysdig telemetry. Search hosts for /tmp/lang_pwn. Patch to Langflow 1.9.1+, disable internet exposure of Langflow APIs, require strong auth, rotate any LLM or cloud keys stored in flows on exposed instances, and egress-allowlist AI orchestration hosts to approved provider endpoints only.
References
- [Sysdig] Understanding Langflow CVE-2026-55255, and why higher CVSS vulnerabilities aren't always the most exploited (2026-06-26) — https://www.sysdig.com/blog/understanding-langflow-cve-2026-55255-and-why-higher-cvss-vulnerabilities-arent-always-the-most-exploited
- [Help Net Security] Attackers using Langflow flaw for credential harvesting CVE-2026-55255 (2026-07-08) — https://www.helpnetsecurity.com/2026/07/08/langflow-vulnerability-cve-2026-55255-exploited/
- [NVD] CVE-2026-55255 (2026-06-23 / KEV update 2026-07-07) — https://nvd.nist.gov/vuln/detail/CVE-2026-55255