Exposures › CVE-2026-55255
Langflow allows authenticated attackers to execute any user's flow by specifying a victim's flow ID, bypassing authorization controls.
This authorization bypass enables an authenticated attacker to impersonate another user and execute their flows, creating a significant risk for DIB organizations using Langflow for sensitive workflows. The vulnerability is actively exploited in the wild, requiring immediate patching and review of access controls to prevent unauthorized flow execution.
Shame score — While actively exploited, the vulnerability requires authentication to exploit and does not involve default credentials or supply-chain compromise.
Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
No correlated FedRAMP products.