CISA orders feds to prioritize patching Langflow auth bypass flaw
Summary
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch an actively exploited vulnerability in Langflow, a popular tool for building AI agents with a drag-and-drop interface. The flaw, tracked as CVE-2026-55255, is an IDOR (insecure direct object reference, where an attacker can access data they shouldn't by manipulating request parameters) that lets authenticated attackers view other users' workflows and steal sensitive data or computing resources. Attackers are already using this vulnerability to gain code execution and deploy malware to compromise servers and steal credentials.
Solution / Mitigation
CISA ordered federal agencies to patch the vulnerability by Friday, as required by Binding Operational Directive (BOD) 26-04. The source states that 'stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines,' but does not provide specific patch version numbers or technical patching instructions.
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/
First tracked: July 8, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%