CVE-2026-55255 CrowdStrike LogScale · LogScale

Detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses in CrowdStrike LogScale

CVE-2026-55255 is a critical IDOR (Insecure Direct Object Reference) vulnerability in Langflow versions prior to 1.9.1. An authenticated attacker can enumerate and access another user's flow data by manipulating object identifiers in requests to the /api/v1/responses endpoint. With a CVSS score of 9.9, this vulnerability allows horizontal privilege escalation between users, potentially exposing sensitive AI flow configurations, credentials embedded in flows, and proprietary automation logic.

MITRE ATT&CK

Tactic
Credential Access Collection

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkReceiveAccept OR #event_simpleName=NetworkConnectIP4
| LocalAddressIP4=* RemotePort=* HttpPath=/api/v1/responses/*
| HttpStatusCode=200
| rex field=HttpPath "/api/v1/responses/(?<flow_id>[^/?]+)"
| groupBy([RemoteAddressIP4, UserAgent], function=[
    count(aid, as=request_count),
    dc(flow_id, as=distinct_flow_ids),
    collect(flow_id, as=flow_ids, limit=50),
    min(timestamp, as=first_seen),
    max(timestamp, as=last_seen)
  ])
| distinct_flow_ids >= 5
| eval severity=if(distinct_flow_ids>=20, "critical", if(distinct_flow_ids>=10, "high", "medium"))
| sort(distinct_flow_ids, order=desc)
critical severity medium confidence

CrowdStrike Falcon LogScale CQL query for detecting Langflow IDOR enumeration — groups successful /api/v1/responses requests by source IP and flags those accessing five or more distinct flow IDs within the observation window.

Data Sources

CrowdStrike Falcon Network TelemetryHTTP Proxy Logs ingested into Falcon

Required Tables

NetworkReceiveAcceptNetworkConnectIP4

False Positives & Tuning

  • Langflow power users with legitimate access to many flows performing normal workflow review
  • Automation bots operated by the same user account polling multiple owned flows
  • Integration partners with delegated access consuming results from multiple customer flows
  • Internal Langflow background workers processing cross-flow aggregations

Other platforms for CVE-2026-55255

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Flow ID Discovery via /api/v1/responses

    Expected signal: 20 GET requests to /api/v1/responses/* within seconds, all from the same source IP and Authorization header, appearing in web/application access logs

  2. Test 2Targeted Cross-User Flow Access Using Known Flow ID

    Expected signal: Single authenticated GET request to /api/v1/responses/<victim_flow_id> returning HTTP 200 with flow response data belonging to a different user

  3. Test 3Scripted Flow Enumeration with Response Exfiltration

    Expected signal: 50 GET requests to /api/v1/responses/* within approximately 30 seconds, with a subset returning HTTP 200 and response bodies containing flow data; all from single source IP

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-55255 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0009Collection

Related Techniques

T1530Data from Cloud StorageT1078Valid AccountsT1083File and Directory Discovery

Same Tactic: Credential Access

Popular Detections