Skip to content
Security & Trust

An AI Agent Builder Just Landed on CISA's Exploited-Vulnerability List

Langflow, a visual builder for AI agents, joins CISA's KEV catalog after attackers used a broken authorization flaw to harvest LLM credentials and hijack compute.

· 4 min read
Share on X LinkedIn
An AI Agent Builder Just Landed on CISA's Exploited-Vulnerability List

A New Category on the KEV List

On July 7, 2026, CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities catalog and set a federal patch deadline of July 11. The software is Langflow, a visual drag-and-drop builder for AI agents — the kind of tool teams use to wire prompts, tools, and data sources into a working agent without hand-writing orchestration code. This is not a content management system or a JavaScript framework. It is software that builds the agents those frameworks increasingly serve. A flaw here does not deface a homepage. It exposes the machinery behind an organization's AI workflows, and the credentials wired into them.

Insecure Direct Object Reference (IDOR) in /api/v1/responses
CVE-2026-55255
Source: CISA KEV Catalog (July 7, 2026); Sysdig Threat Research

A Broken Authorization Check, Not a Missing Login

The flaw is an insecure direct object reference in Langflow's /api/v1/responses endpoint. An authenticated user who supplies another user's UUID can retrieve that user's flow — the full configuration of an AI agent, including connected tools and, depending on setup, the credentials it uses to reach them. No authorization check verified the requester owned the flow tied to that UUID. The attacker did not bypass authentication; they were already logged in. What they bypassed was the access control that should have confined them to their own data.

Sysdig's threat research team traced active exploitation back to June 25, 2026 — nearly two weeks before the vulnerability reached the federal must-patch list. The compressed four-day remediation deadline (July 7 to July 11) reflects the severity: CISA's typical BOD 22-01 baseline runs closer to two weeks, and shorter windows correlate with higher assessed urgency.

12 days
Time from first observed exploitation to KEV listing
Source: BleepingComputer, citing Sysdig Threat Research Team (July 8, 2026)
4 days (July 7–11, under BOD 22-01)
Federal patch deadline
Source: CISA Known Exploited Vulnerabilities Catalog

The Target Was Compute and Credentials

Sysdig's researchers describe the intrusions as pursuing code execution and second-stage implant delivery — loader and dropper activity aimed at two assets: compute, to enlist into botnet infrastructure, and credentials, specifically LLM and cloud API keys. The objective was not a database of customer records. It was the compute cycles and API tokens that let an attacker run its own workloads, at someone else's expense, under someone else's account. That combination — credential theft plus compute hijacking through an AI orchestration tool — is a concrete instance of the pattern WebPulse has tracked under one label: AI as a risk multiplier.

Beyond the Detected Framework Layer

WebPulse's scans cover 466,000-plus sites across 30 detected frameworks — the software that renders what a browser or a crawler sees. Langflow, and tools like it, mostly run behind that layer: self-hosted, often on internal networks, orchestrating agents rather than serving pages. They rarely appear in a site scan. The visible web that WebPulse measures in framework share and CVE counts is the front door. This incident illustrates a second door that does not get inventoried the same way — one where the objective for an intruder is no longer a webpage but a working AI agent and the keys it holds.

1,635
CISA KEV catalog entries (all vendors)
Source: CISA Known Exploited Vulnerabilities Catalog (July 7, 2026)
CVEs in this analysis
CVE-2026-55255
Share this insight