Update: CISA added CVE-2026-55255 for Langflow to the Known Exploited Vulnerabilities catalog on July 7, 2026. If you run Langflow for AI workflows, demos, internal tools, or customer automation, this should move to the top of the patch queue.
What Changed
CISA now tracks this Langflow authorization issue in KEV with a July 10, 2026 due date. CISA currently lists ransomware campaign use as unknown.
The CVE record and GitHub advisory describe an authorization boundary problem in Langflow before version 1.9.2. In plain English: a logged-in user could cross user or tenant boundaries and run another user’s flow in affected deployments. The fixed version is Langflow 1.9.2 or later.
Who Should Check
- Teams running Langflow on public VPS, cloud, Docker, Kubernetes, or shared developer hosts.
- AI builder deployments with multiple users, customers, contractors, or internal teams.
- Hosting providers that allow customers to run AI workflow tools behind a general control panel.
- Any organization that connected Langflow to secrets, model providers, internal APIs, or sensitive internal sources.
Patch First
- Back up the Langflow host, configuration, database, and any environment file used for integrations.
- Record the installed Langflow version and deployment method.
- Upgrade Langflow to 1.9.2 or later from the official project release channel.
- Restart the service cleanly and confirm the application reports the patched version.
- Keep Langflow behind authentication, VPN, SSO, or a trusted access layer. Public builder interfaces should be the exception, not the default.
Review Access And Secrets
After patching, review users, API tokens, saved provider credentials, recently executed flows, and outbound connections. If the instance is multi-user or customer-facing, assume the impact can cross normal workspace boundaries until logs prove otherwise. Rotate sensitive tokens if you see unexplained activity or if the instance was exposed before the update.
Hosting Admin Notes
Hosts should inventory Langflow containers and developer VPS instances, especially where customers expose AI builders for testing. Add a temporary access-control layer while owners patch, and document any instance that cannot be upgraded quickly. Do not rely on obscurity or a non-standard port for this class of issue.
