On June 25, 2026 the Sysdig Threat Research Team (TRT) documented the first known active exploitation of a critical Langflow vulnerability, CVE-2026-55255. The report illustrates how a higher CVSS score does not automatically translate into faster or more widespread exploitation compared to lower‑scored vulnerabilities.

Langflow is an open‑source visual framework that enables developers to build AI agents and retrieval‑augmented generation (RAG) pipelines. It exposes each workflow as a callable “model” through its API, allowing external services to invoke the flow by UUID or name. Two distinct weaknesses were identified: CVE-2026-33017, an unauthenticated remote code execution (RCE) with a CVSS of 9.3, and CVE-2026-55255, a cross‑tenant insecure direct object reference (IDOR) with a higher CVSS of 9.9.

In practice, the RCE was weaponised by threat actors within twenty hours of disclosure, impacting over seven thousand servers across the globe. The IDOR, despite its higher score, had no reported in‑the‑wild exploitation at the time of writing. Sysdig’s analysis shows that attackers prioritise effort‑to‑yield; they invest more time in the RCE because it is unauthenticated and can be sprayed widely, whereas the IDOR requires enumerating a victim UUID first—a step that demands additional reconnaissance.

Exploitation Mechanisms

The CVE-2026-55255 flaw lies in get_flow_by_id_or_endpoint_name within helpers/flow.py. When a flow is requested by UUID, the lookup performs no ownership check; any authenticated caller can execute another user’s flow. The endpoint_name resolution branch enforces ownership and therefore remains safe. Because flow UUIDs are 122‑bit random values, brute force is infeasible, and enumeration of all flows is required to discover valid IDs.

Sysdig observed an attacker enumerating /api/v1/flows/, capturing the list of flow identifiers, then reusing those IDs in a POST to /api/v1/responses. The payload included the string leak api keys as input. This instructs the hijacked flow’s build logic—which runs with the victim’s credentials—to surface any embedded API keys or secrets.

Comparative Impact of RCE vs. IDOR

The RCE (CVE-2026-33017) allows arbitrary Python execution in the context of the user’s flow. Once code execution is achieved, the attacker gains control over the database, environment variables, and filesystem. This superset capability explains why it has been mass‑exploited: attackers can deploy backdoors, harvest credentials, or pivot to other services.

In contrast, the IDOR provides a covert channel for cross‑tenant data exfiltration without direct code execution on the host. It is valuable only when the attacker already possesses the victim’s flow UUID and has an authenticated session. In multi‑tenant or SaaS deployments where each tenant’s flows run in isolated workers, the IDOR can be the sole avenue to access other tenants’ secrets.

Observed Attack Timeline

• June 22: Multiple RCE attempts via /api/v1/build_public_tmp//flow, targeting random UUIDs.
• June 25: Systematic reconnaissance – /auto_login, /users/, and /api_key/ enumeration.
• June 25 03:41:13: Flow enumeration via /api/v1/flows/.
• June 25 03:41:33–34: IDOR exploitation by POSTing to /api/v1/responses with the harvested flow UUID.
• June 25 10:06–10:29: Four RCE waves, each preceded by auto_login and flow enumeration, attempting outbound connections to hxxp://45[.]207[.]216[.]55:8084/slt.

Indicators of Compromise

• Source IP: 45[.]207[.]216[.]55 (C2 host)
• TLS fingerprint: t13i1f0a00_e8f1e7e78f70_1f22a2ca17c4 (consistent across sessions)
• Second‑stage loader URL: hxxp://45[.]207[.]216[.]55:8084/slt
• Execution marker written to /tmp/lang_pwn

Recommendations for Security Teams

1. Prioritize patching of CVE-2026-33017 first, as it is publicly exploitable without authentication.
2. For multi‑tenant Langflow deployments, treat CVE-2026-55255 with high urgency; enforce strict ownership checks on all API endpoints that expose flow identifiers.
3. Implement runtime monitoring for anomalous POST requests to /api/v1/responses and /build_public_tmp/. Look for payloads containing the phrase “leak api keys” or other keyword patterns used by threat actors.
4. Apply rate limiting on enumeration endpoints (/api/v1/flows/) to impede automated UUID discovery.
5. Deploy web application firewalls (WAF) tuned to detect IDOR and RCE signatures, especially in the context of AI‑pipeline services.

The Sysdig report underscores a key truth: CVSS is a risk metric, not a exploitation probability indicator. Attackers allocate resources where they achieve maximum gain for minimal effort. In the Langflow case, the lower‑scored but unauthenticated RCE was favored over the higher‑scored IDOR because it offered a faster path to code execution and credential theft. Security teams should adopt this mindset when triaging vulnerabilities—focus on how an attacker can realistically exploit a flaw rather than relying solely on severity scores.