Intelligence
criticalVulnerabilityActive

Langflow IDOR in Flow Access Control – Authentication Bypass via UUID-Based Direct Object Reference

An Insecure Direct Object Reference (IDOR) vulnerability in Langflow's `/api/v1/responses` endpoint allows authenticated attackers to access and execute flows owned by other users by manipulating flow UUIDs. The vulnerability bypasses user ownership validation when flows are referenced by UUID rather than endpoint name.

S
Sebastion

CVE References

CVE-2026-55255

Affected

langflow-ai/langflow (v1.9.0 and likely earlier versions)

Vulnerability Description

The root cause is a logic flaw in the get_flow_by_id_or_endpoint_name() helper function located in src/backend/base/langflow/helpers/flow.py (lines 399–414). The function implements two distinct code paths: one for UUID-based lookups and one for endpoint-name-based lookups. Critically, the UUID path queries the database directly via session.get(Flow, flow_id) without performing user ownership verification, whereas the endpoint-name path correctly validates Flow.user_id == uuid_user_id before returning the flow object. This inconsistency creates a direct object reference vulnerability where an authenticated user can construct requests to the /api/v1/responses endpoint specifying a victim's flow UUID, bypassing all authorization checks. The impact is severe: authenticated attackers gain the ability to execute arbitrary flows belonging to other users, potentially leading to unauthorized data access, lateral movement within the platform, or resource abuse.

Proof-of-Concept Significance

The disclosed PoC demonstrates that the vulnerability is trivial to exploit—it requires only valid authentication credentials and knowledge of a target flow's UUID (which may be enumerable or discoverable through information disclosure). The attack is deterministic and highly reliable given these preconditions. The PoC proves that authorization enforcement is entirely absent from one code path, making this a textbook IDOR flaw with high likelihood of real-world exploitation by both low-skill and sophisticated threat actors.

Detection Guidance

Defensive teams should monitor for:

  • Log Indicators: Requests to /api/v1/responses with flow UUIDs that do not match the authenticated user's own flows (correlate user_id in auth token against Flow.user_id in database queries).
  • Anomalous Patterns: Rapid or sequential requests to /api/v1/responses endpoints with different flow UUIDs from the same user session, especially if those flows belong to different users.
  • API Access Logs: Track 200 OK responses to /api/v1/responses where the requesting user_id differs from the flow owner's user_id.
  • YARA/Detection Rules: Match HTTP POST/GET requests to /api/v1/responses followed by UUID parameters that can be cross-referenced against flow ownership metadata.

Mitigation Steps

Immediate Actions:

  1. Patch the get_flow_by_id_or_endpoint_name() function to enforce user ownership checks for both UUID and endpoint-name paths:
    • Add stmt = select(Flow).where((Flow.id == flow_id) & (Flow.user_id == uuid_user_id)) for UUID lookups.
    • Ensure all query branches validate Flow.user_id against the authenticated request context.
  2. Review all other endpoints that call this helper function and verify they properly propagate the authenticated user's ID.
  3. Conduct code audit of other helper functions in langflow/helpers/flow.py for similar authorization bypasses.
  4. Apply the patch and upgrade to the patched Langflow version (post-v1.9.0).

Workarounds (temporary):

  • Implement a reverse proxy or WAF rule that blocks /api/v1/responses requests when the flow UUID in the request does not appear in a whitelist of UUIDs owned by the authenticated user (requires user-to-flow mapping data).
  • Restrict /api/v1/responses endpoint access to specific network segments or IP ranges if operationally feasible.

Risk Assessment

Likelihood of Exploitation: Very High. IDOR vulnerabilities are among the most frequently exploited authorization flaws in production systems. The low barrier to entry (requires only authentication) and high impact make this attractive to threat actors of all skill levels. Given the public disclosure via GitHub Security Advisories and the straightforward nature of the attack, exploitation in the wild is probable within days to weeks of the advisory release.

Threat Actor Interest: High. Langflow is used in AI/ML workflow automation; attackers may seek to chain this IDOR with other vulnerabilities to achieve code execution, data exfiltration, or supply-chain attacks. Insider threats and competing teams with platform access are particularly high-risk adversaries for this vulnerability.

Sources

pocIDORauthentication-bypassaccess-controllangflowdirect-object-referenceauthorization-flaw
Back to intelligence