CVE-2026-55255 Splunk · SPL

Detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses in Splunk

CVE-2026-55255 is a critical IDOR (Insecure Direct Object Reference) vulnerability in Langflow versions prior to 1.9.1. An authenticated attacker can enumerate and access another user's flow data by manipulating object identifiers in requests to the /api/v1/responses endpoint. With a CVSS score of 9.9, this vulnerability allows horizontal privilege escalation between users, potentially exposing sensitive AI flow configurations, credentials embedded in flows, and proprietary automation logic.

MITRE ATT&CK

Tactic
Credential Access Collection

SPL Detection Query

Splunk (SPL)
spl 
index=web OR index=proxy OR index=app
(uri_path="/api/v1/responses*" OR url="*/api/v1/responses*")
status=200
| rex field=uri_path "/api/v1/responses/(?<flow_id>[^/?]+)"
| where isnotnull(flow_id) AND flow_id!=""
| bin _time span=10m
| stats
    count AS request_count
    dc(flow_id) AS distinct_flow_ids
    values(flow_id) AS flow_ids
    earliest(_time) AS first_seen
    latest(_time) AS last_seen
    by src_ip, http_user_agent, _time
| where distinct_flow_ids >= 5
| eval severity=case(
    distinct_flow_ids>=20, "critical",
    distinct_flow_ids>=10, "high",
    true(), "medium"
  )
| eval alert_title="Langflow IDOR: Enumeration of multiple flow IDs from single source"
| table first_seen, last_seen, src_ip, http_user_agent, request_count, distinct_flow_ids, flow_ids, severity, alert_title
| sort - distinct_flow_ids
critical severity medium confidence

Splunk detection for Langflow IDOR exploitation pattern — identifies source IPs accessing many distinct flow IDs via /api/v1/responses within a 10-minute window, consistent with CVE-2026-55255 abuse.

Data Sources

Web Proxy LogsApplication HTTP LogsReverse Proxy / Nginx / Apache Logs

Required Sourcetypes

access_combinednginx:plus:accessapache:accessproxy:squidpan:traffic

False Positives & Tuning

  • Legitimate Langflow superusers or admins reviewing many flow results
  • Automated pipelines polling multiple flows in rapid succession
  • Penetration testing engagements against the Langflow deployment
  • Langflow internal services performing cross-flow reporting or dashboarding

Other platforms for CVE-2026-55255

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Flow ID Discovery via /api/v1/responses

    Expected signal: 20 GET requests to /api/v1/responses/* within seconds, all from the same source IP and Authorization header, appearing in web/application access logs

  2. Test 2Targeted Cross-User Flow Access Using Known Flow ID

    Expected signal: Single authenticated GET request to /api/v1/responses/<victim_flow_id> returning HTTP 200 with flow response data belonging to a different user

  3. Test 3Scripted Flow Enumeration with Response Exfiltration

    Expected signal: 50 GET requests to /api/v1/responses/* within approximately 30 seconds, with a subset returning HTTP 200 and response bodies containing flow data; all from single source IP

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-55255 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0009Collection

Related Techniques

T1530Data from Cloud StorageT1078Valid AccountsT1083File and Directory Discovery

Same Tactic: Credential Access

Popular Detections