CVE-2026-55255

Name of the Vulnerable Software and Affected Versions langflow versions prior to 1.9.1

Description An Insecure Direct Object Reference (IDOR) exists in the '/api/v1/responses' endpoint. This issue allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. The flaw is located in the get flow by id or endpoint name() helper function, which queries the database for flows by UUID without verifying if the authenticated user owns the requested flow. This can lead to the exposure of sensitive data processed by the victim's flows and the unauthorized consumption of their resources.

Recommendations Upgrade to version 1.9.1.