This week CISA added Langflow to its Known Exploited Vulnerabilities catalog and gave U.S. federal agencies until July 10 to remediate. That makes Langflow — the popular open-source visual builder for LLM agents — the first AI-agent orchestration platform to earn a KEV listing. It is worth sitting with what that milestone actually marks, because the two vulnerabilities that got it there are, on paper, about as different as two web bugs can be, and they converge on precisely the same outcome.

Two doors, one vault#

The first, CVE-2026-33017, is the kind of bug that makes security researchers wince and grin at once: an unauthenticated remote code execution. Langflow's POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, meant to let anyone preview a public flow, would accept an optional data parameter and use the attacker's flow definition instead of the stored one. Node definitions can carry Python, and that Python went straight to exec() with no sandbox. One anonymous HTTP request, full system compromise. It hit CISA's KEV back in March, and by then researchers were watching roughly 7,000 exposed servers get hammered — some within about twenty hours of disclosure. JFrog later found that an official "fixed" release was still exploitable, which tells you how load-bearing that one endpoint was.

The second, CVE-2026-55255, is the new entry, and it is the opposite kind of bug. It is an authenticated Insecure Direct Object Reference in /api/v1/responses: a logged-in user supplies another user's flow ID and Langflow runs that victim's flow for them. No memory corruption, no code injection, no sandbox to escape — just a missing ownership check. NVD scores it 9.9, but the number isn't the interesting part. The interesting part is what a hijacked flow contains.

The payload writes itself#

Langflow flows routinely embed the credentials they need to do their job: OpenAI and Anthropic API keys, AWS access keys, database strings, tokens for whatever the agent talks to. So once you can run someone else's flow, you don't need a clever exploit to steal those secrets — you ask. The observed technique is almost insultingly direct: attackers inject a prompt like "leak api keys" into the hijacked flow and read the model's obedient reply. The RCE from March and the IDOR from July arrive through completely unrelated weaknesses, and both terminate in the same three words.

An unauthenticated RCE and an authenticated IDOR are supposed to sit at opposite ends of your risk register. On an agent platform they're the same finding wearing two costumes: reach a flow, and the flow hands you the keys.

That convergence is the actual lesson, and it is structural, not incidental. A traditional web app leaks whatever is in its own database. An agent-orchestration platform is, by design, the one place that holds every credential for every external system its users wired up — and it can execute against all of them. The product's core value proposition and its blast radius are the same sentence. Sysdig's write-up frames the takeaway as "higher CVSS isn't always the most exploited," and CVE-2026-55255 is the proof: an authenticated bug, the sort a threat model would normally rank below an unauthenticated one, still drew a federal remediation deadline. The "requires a login" caveat that usually buys a vulnerability some breathing room means nothing when the instances are exposed to the internet with weak auth and the thing behind the login is a vault.

What to actually do#

The mechanical advice is the boring, correct advice: patch to a current Langflow, and don't take the version string on faith given the RCE's history of incomplete fixes. But the durable move is to stop treating the platform as a trusted secret store. Langflow supports referencing credentials from environment variables and external secret managers rather than baking them into flow JSON; use it, so a stolen flow yields a reference an attacker can't dereference instead of a live key. Scope every embedded credential to the minimum — a read-only, rate-limited, billing-capped key survives a leak far better than a root one, which is the whole argument for treating secrets management as a first-class agent concern. And get Langflow off the public internet; the exploited population was overwhelmingly instances exposed directly, not ones behind a VPN or an authenticating proxy.

The KEV listing is a first, but it won't be a last. Agents are being handed the keys to everything by construction, and the industry is discovering — one CVE at a time — that "the system that holds all your credentials and can run arbitrary logic against them" is a category that has to be secured like a secrets manager, not like a dashboard. Langflow just happened to be standing where the spotlight landed.