The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to patch an actively exploited vulnerability in Langflow, a popular visual framework for building and deploying AI agent pipelines, with a deadline set for this Friday.

The Vulnerability

The flaw, tracked as CVE-2026-55255, is classified as an Insecure Direct Object Reference (IDOR). It allows authenticated attackers to access other users’ flows by sending a crafted request to the /api/v1/responses endpoint with a target user’s UUID. Successful exploitation exposes sensitive data processed by victim flows and allows attackers to consume their compute resources.

Active Exploitation and Attacker Motives

Sysdig’s Threat Research Team first observed in-the-wild exploitation of CVE-2026-55255 on June 25. According to Sysdig, the objective was code execution and delivery of second-stage implants, specifically loader and dropper class malware. Researchers characterized the threat actor as opportunistic and financially motivated, pursuing two primary yields from compromised AI hosts: compute resources for botnet activity and credentials such as LLM API keys and cloud access tokens. The tooling observed was described as cheap, repeatable, and low-sophistication.

Federal Directive and KEV Catalog

CISA added CVE-2026-55255 to its Known Exploited Vulnerabilities (KEV) catalog on Tuesday, triggering a patch requirement for U.S. Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 26-04. CISA noted that this class of vulnerability represents a frequent and significant attack vector against the federal enterprise.

A Pattern of Langflow Exploitation

This is not the first time Langflow vulnerabilities have drawn federal attention. CISA’s prior actions against the platform include:

  • CVE-2025-3248, a missing authentication flaw added to KEV in May 2025 and flagged as exploited by ransomware operators. Cloud security firm Sysdig linked the JadePuffer ransomware operation to exploitation of this flaw to dump Langflow’s PostgreSQL database.
  • CVE-2026-33017, a code injection vulnerability added to KEV in March 2026.
  • CVE-2026-5027, a high-severity path traversal flaw that has been actively exploited since June to write arbitrary files on exposed servers, according to VulnCheck researcher Caitlin Condon.

The repeated targeting of Langflow reflects its growing adoption in AI development workflows, making deployments an attractive surface for financially motivated threat actors seeking both compute and credential access. Organizations running Langflow instances, particularly those exposed to the internet, should treat patching as urgent regardless of federal mandates.