US cyber agency gives federal staff four days to patch Langflow AI tool being actively hacked
CISA added an authorisation bypass in the popular AI-agent builder Langflow to its must-patch list after Sysdig spotted attackers stealing cloud keys and hijacking servers.

Key points
- The US Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies on Tuesday to patch a Langflow flaw, tracked as CVE-2026-55255, by Friday.
- Security firm Sysdig first saw criminals exploiting the bug in the wild on 25 June, using it to drop malware and steal credentials.
- The flaw lets a logged-in user read and run other users' AI workflows by sending a rigged request to a single web address inside Langflow.
- It is the third Langflow bug CISA has flagged as actively exploited, after CVE-2025-3248 in May 2025 and CVE-2026-33017 in March 2026.
- The May 2025 bug is now being used by the JadePuffer ransomware crew to steal Langflow's internal database.
CISA has given US federal agencies four days to fix a serious hole in Langflow, a tool developers use to build AI agents by dragging and dropping components on a screen.
The order landed on Tuesday. The deadline is Friday.
Langflow is popular because it lets teams wire up AI models, data sources and actions without writing much code, then run those workflows through a web address other software can call. That popularity also makes it a magnet for criminals, who know a single compromised Langflow server can hand over both cloud keys and spare computing power.
What does the bug actually let attackers do?
It lets someone with any valid Langflow account peek at, and run, other users' AI workflows on the same server.
The flaw is what security researchers call an Insecure Direct Object Reference, or IDOR: the software checks that you are logged in, but not that the thing you are asking for actually belongs to you. In this case, an attacker sends a request to the /api/v1/responses address inside Langflow with someone else's workflow ID attached, and Langflow simply hands it over.
That is bad on two fronts. The attacker can read whatever data those workflows process, which often includes customer records or business documents. They can also burn the victim's computing resources and any API keys the workflow uses to reach services like OpenAI or Amazon Web Services.
Who is behind the attacks?
Sysdig's Threat Research Team, which first reported the exploitation, describes the attackers as opportunistic and out for money.
"It's clear that the motive was money via the two reliable yields of a compromised AI host: its compute and its credentials," the team wrote. Translated: hack the box, then either rent out its processing power as part of a botnet or resell the AI and cloud keys it stores. Sysdig said the tooling used was "cheap, repeatable, low-sophistication."
The end goal was code execution and dropping a second-stage implant, meaning a small program that stays behind to let the attackers back in later.
Why the tight deadline?
CISA runs a list called the Known Exploited Vulnerabilities Catalog. Once a bug lands there, US federal civilian agencies must patch it within a set window under a rule called Binding Operational Directive 26-04.
"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," CISA said in its notice.
As first reported by BleepingComputer, this is the third Langflow bug to get the KEV treatment. In May 2025, CISA added CVE-2025-3248, a missing-authentication flaw now being used by the JadePuffer ransomware crew to dump Langflow's PostgreSQL database, the internal store where the tool keeps user data and flow definitions. In March 2026, CISA added CVE-2026-33017, a code-injection bug. And since June, VulnCheck researcher Caitlin Condon has tracked live exploitation of CVE-2026-5027, a path traversal flaw that lets attackers write files anywhere on an exposed server.
What Langflow users should do now
Upgrade to the latest Langflow release straight away.
If your Langflow instance is reachable from the public internet, take it off the internet until it is patched, or put it behind a VPN or IP allowlist. Rotate every API key, cloud credential and model key that Langflow has touched. Check server logs for unexpected requests to /api/v1/responses and for new user accounts you did not create.
If you run Langflow inside a company, assume any data it processed since June may have been read by someone else.



