Which SIEM platforms have a CVE-2026-55255 detection rule?

df00tech provides CVE-2026-55255 (Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2026-55255 detection?

The CVE-2026-55255 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2026-55255?

Common false positives for CVE-2026-55255 include: Langflow administrators or power users legitimately browsing many flows via the UI; Automated integration pipelines that poll multiple flow results in bulk; Load testing or health-check scripts that iterate over known flow IDs.

CVE-2026-55255 Elastic Security · Elastic

Detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses in Elastic Security

Q: What data sources are required to detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses (CVE-2026-55255)?

Detecting Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses requires the following data sources: Azure Application Gateway Logs, App Service HTTP Logs, Web Application Firewall Logs, Azure Diagnostics.

CVE-2026-55255 is a critical IDOR (Insecure Direct Object Reference) vulnerability in Langflow versions prior to 1.9.1. An authenticated attacker can enumerate and access another user's flow data by manipulating object identifiers in requests to the /api/v1/responses endpoint. With a CVSS score of 9.9, this vulnerability allows horizontal privilege escalation between users, potentially exposing sensitive AI flow configurations, credentials embedded in flows, and proprietary automation logic.

MITRE ATT&CK

Tactic: Credential Access Collection

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by source.ip with maxspan=10m
  [any where event.dataset == "http" and
   url.path like "/api/v1/responses/*" and
   http.response.status_code == 200] with runs=5

critical severity medium confidence

Elastic EQL sequence detection identifying a single source IP making five or more successful requests to distinct /api/v1/responses paths within 10 minutes, indicating IDOR enumeration.

Data Sources

Elastic APMFilebeat HTTP modulePacketbeatNginx/Apache access logs via Filebeat

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

High-throughput Langflow users legitimately accessing multiple flow results
API clients performing batch result retrieval across user-owned flows
Monitoring agents checking flow completion status at high frequency
Load balancer health probes hitting the responses endpoint

Other platforms for CVE-2026-55255

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Unauthenticated Flow ID Discovery via /api/v1/responses
Expected signal: 20 GET requests to /api/v1/responses/* within seconds, all from the same source IP and Authorization header, appearing in web/application access logs
Test 2Targeted Cross-User Flow Access Using Known Flow ID
Expected signal: Single authenticated GET request to /api/v1/responses/<victim_flow_id> returning HTTP 200 with flow response data belonging to a different user
Test 3Scripted Flow Enumeration with Response Exfiltration
Expected signal: 50 GET requests to /api/v1/responses/* within approximately 30 seconds, with a subset returning HTTP 200 and response bodies containing flow data; all from single source IP

Last updated: 2026-06-21 Research depth: standard

References (3)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2026-55255 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0006Credential Access TA0009Collection

Related Techniques

T1530Data from Cloud Storage T1078Valid Accounts T1083File and Directory Discovery

Detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-55255

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Credential Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2026-55255

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Credential Access

Popular Detections

Get new detections in your inbox