A New Category on the KEV List
On July 7, 2026, CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog and set a federal patch deadline of July 11. The software is Langflow, a visual drag-and-drop builder for AI agents — the kind of tool teams use to wire prompts, tools, and data sources into a working agent without hand-writing orchestration code. This is not a content management system or a JavaScript framework. It is software that builds the agents those frameworks increasingly serve. A flaw here does not deface a homepage. It exposes the machinery behind an organization's AI workflows, and the credentials wired into them.
A Broken Authorization Check, Not a Missing Login
The flaw is an insecure direct object reference in Langflow's /api/v1/responses endpoint. An authenticated user who supplies another user's UUID can retrieve that user's flow — the full configuration of an AI agent, including connected tools and, depending on setup, the credentials it uses to reach them. No authorization check verified the requester owned the flow tied to that UUID. The attacker did not bypass authentication; they were already logged in. What they bypassed was the access control that should have confined them to their own data.
Sysdig's threat research team traced active exploitation back to June 25, 2026 — nearly two weeks before the vulnerability reached the federal must-patch list. The compressed four-day remediation deadline (July 7 to July 11) reflects the severity: CISA's typical BOD 22-01 baseline runs closer to two weeks, and shorter windows correlate with higher assessed urgency.
The Target Was Compute and Credentials
Sysdig's researchers describe the intrusions as pursuing code execution and second-stage implant delivery — loader and dropper activity aimed at two assets: compute, to enlist into botnet infrastructure, and credentials, specifically LLM and cloud API keys. The objective was not a database of customer records. It was the compute cycles and API tokens that let an attacker run its own workloads, at someone else's expense, under someone else's account. That combination — credential theft plus compute hijacking through an AI orchestration tool — is a concrete instance of the pattern WebPulse has tracked under one label: AI as a risk multiplier.
Beyond the Detected Framework Layer
WebPulse's scans cover 466,000-plus sites across 30 detected frameworks — the software that renders what a browser or a crawler sees. Langflow, and tools like it, mostly run behind that layer: self-hosted, often on internal networks, orchestrating agents rather than serving pages. They rarely appear in a site scan. The visible web that WebPulse measures in framework share and CVE counts is the front door. This incident illustrates a second door that does not get inventoried the same way — one where the objective for an intruder is no longer a webpage but a working AI agent and the keys it holds.


