The first AI agent platform hit CISA's must-patch list. Audit yours.
A cross-tenant IDOR in Langflow let attackers steal LLM and cloud keys. It's the first AI agent builder on CISA's KEV — proof your agent stack is attack surface.
The low-code AI builder you spun up to prototype an agent is a database of live credentials. That's the lesson from CVE-2026-55255, a flaw in Langflow that attackers used to walk out with LLM provider keys and AWS credentials — and the reason Langflow just became the first AI agent platform ever added to CISA's Known Exploited Vulnerabilities catalog.
What actually happened
Per the NVD entry, CVE-2026-55255 is a cross-tenant insecure direct object reference (IDOR) in Langflow's /api/v1/responses endpoint, carrying a CVSS score of 6.1. In versions before 1.9.2, any authenticated user could execute another user's flow simply by supplying that flow's ID in a request — no privilege escalation, no exploit chain, just an ID swap.
The payoff is what makes a 6.1 dangerous. Sysdig's Threat Research Team observed active exploitation with attackers using the IDOR to run other tenants' flows and harvest the secrets embedded in them: LLM provider keys, cloud credentials, and database passwords. Sysdig watched a single operator pair this bug with CVE-2026-33017, an unauthenticated RCE, against the same instance in one week.
CISA added the flaw to its KEV catalog on July 7, 2026, and ordered federal civilian agencies to patch by July 10, per BleepingComputer. It landed alongside three 10.0-severity flaws in Adobe ColdFusion and two Joomla page builders — but Langflow is the one that marks the shift: The Hacker News noted it as the first AI agent platform on the list.
Why it matters for your business
Agent builders invert the normal security calculus. A traditional app leaks whatever it stores; an agent builder stores the keys to everything it can reach — your OpenAI account, your AWS environment, your production database — all in one place, often stood up by someone who was "just testing something." A medium-severity bug becomes a full credential dump because of what's sitting inside the flows.
If you're running Langflow, patch to 1.9.2 today and rotate every key that touched it. But the broader move is inventory: know every low-code AI tool running in your name, what credentials it holds, and whether it's exposed to the internet. The convenience that makes these platforms great for prototypes is the same convenience that makes them a single point of failure in production.
Key takeaways
- CVE-2026-55255 is a cross-tenant IDOR in Langflow (CVSS 6.1); patched in version 1.9.2
- Attackers executed other tenants' flows to steal LLM provider keys, AWS credentials, and database secrets
- Langflow is the first AI agent platform added to CISA's KEV catalog (July 7); federal patch deadline July 10
- Agent builders concentrate every credential they can reach — a medium-severity bug becomes a full key dump
Not sure what your AI tools can actually see? We audit agent stacks for exposed credentials and secrets sprawl, then rebuild them with scoped keys and real isolation. See what we build or book a security audit.
Sources: NVD — CVE-2026-55255, Help Net Security, BleepingComputer, The Hacker News.
- #security
- #ai-agents
- #cve
- #langflow
- #credentials
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Open weights just landed in GitHub Copilot. Own your model layer.
GitHub added Moonshot's open-weight Kimi K2.7 to Copilot's model picker — five labs, one subscription. The lesson: treat the model as a swappable dial, not a dependency.
Read itOllama raised $65M. Running models locally is now the point.
Ollama's $65M Series B and 8.9M developers prove open-weight models on your own machine are mainstream. Why owning your inference layer is a portability move.
Read it