CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog this week, giving Federal Civilian Executive Branch agencies until July 10, 2026 to patch. Three are familiar territory: a maximum-severity path traversal flaw in Adobe ColdFusion (CVE-2026-48282) that leads to arbitrary code execution, and two unauthenticated file upload bugs in Joomla page builder extensions (CVE-2026-56290 and CVE-2026-48908). The fourth is not familiar territory at all. CVE-2026-55255 is an authorisation bypass in Langflow, and it marks the first time an AI agent orchestration platform has appeared on CISA’s exploited vulnerabilities list.
What the Langflow flaw actually does
Langflow is an open-source visual builder for constructing AI agent workflows, widely used to prototype and run automation pipelines that chain language models together with tools and data sources. CVE-2026-55255 is a user-controlled key vulnerability: an authenticated attacker can execute any flow belonging to another user simply by supplying that user’s flow ID in a request, no further authorisation check required. It carries a moderate CVSS score of 6.1, considerably lower than the ColdFusion flaw’s perfect 10, but its inclusion in the KEV catalog confirms it is being actively exploited, not merely theoretical.
This is also not Langflow’s first appearance in security advisories this year. An unrelated, far more severe flaw, CVE-2026-10134, allowed fully unauthenticated remote code execution through the platform’s public flow build endpoint, letting attackers run arbitrary Python via exec() with zero sandboxing. That bug was reportedly exploited within 20 hours of disclosure to deploy cryptominers and harvest environment variables, database credentials, and API keys from compromised hosts. Two serious Langflow vulnerabilities landing in the same year is a pattern, not a one-off.
Why this matters beyond one platform
AI agent orchestration tools sit in an unusually privileged position: they are frequently granted credentials to internal systems, APIs, and data stores so that agents can actually do useful work. A vulnerability that lets one user execute another user’s flow, or worse, execute arbitrary code on the host, inherits whatever access that platform has been given. Many organisations adopted tools like Langflow quickly, during the rush to stand up agentic AI pilots, without applying the same patch cadence and access review discipline they would apply to a production database or an internet-facing web server.
European organisations subject to NIS2 incident reporting obligations should note that a compromised AI agent platform holding service credentials is exactly the kind of significant incident the directive was written to capture, and a growing category of enterprise software that many security teams still are not tracking in their asset inventories.
What to do this week
If your organisation runs Langflow, confirm you are on version 1.9.0 or later, since earlier releases including the widely reported “patched” 1.8.2 remain vulnerable to the unauthenticated RCE. Review any exposed instances for unrestricted flow access and audit what credentials your agent workflows actually hold. More broadly, this is a good prompt to add AI agent platforms to your regular vulnerability scanning and patch management scope, rather than treating them as experimental tooling that lives outside normal security processes.
If you need help auditing your AI agent tooling, mapping the credentials it has access to, or building a patch management process that actually covers this category of software, contact Excello Digital. We help European engineering teams bring agentic AI infrastructure under the same security discipline as the rest of their stack.
