CVE-2026-55255 Sumo Logic CSE · Sumo

Detect Langflow IDOR: Unauthorized Access to Another User's Flow via /api/v1/responses in Sumo Logic CSE

CVE-2026-55255 is a critical IDOR (Insecure Direct Object Reference) vulnerability in Langflow versions prior to 1.9.1. An authenticated attacker can enumerate and access another user's flow data by manipulating object identifiers in requests to the /api/v1/responses endpoint. With a CVSS score of 9.9, this vulnerability allows horizontal privilege escalation between users, potentially exposing sensitive AI flow configurations, credentials embedded in flows, and proprietary automation logic.

MITRE ATT&CK

Tactic
Credential Access Collection

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=web/access OR _sourceCategory=proxy/logs
| parse regex field=url "/api/v1/responses/(?<flow_id>[^/?\"]+)"
| where !isNull(flow_id)
| where status_code == "200" OR status == "200"
| timeslice 10m
| stats
    count as request_count,
    dcount(flow_id) as distinct_flow_ids,
    makelist(flow_id) as flow_id_list
    by src_ip, _timeslice, user_agent
| where distinct_flow_ids >= 5
| if(distinct_flow_ids >= 20, "critical", if(distinct_flow_ids >= 10, "high", "medium")) as severity
| sort by distinct_flow_ids desc
critical severity medium confidence

Sumo Logic detection for CVE-2026-55255 IDOR pattern — parses Langflow /api/v1/responses requests, extracts flow IDs, and alerts when a single source enumerates five or more distinct IDs in a 10-minute window.

Data Sources

Web/HTTP Access LogsProxy LogsApplication Server Logs

Required Tables

_sourceCategory=web/access_sourceCategory=proxy/logs

False Positives & Tuning

  • Legitimate bulk access by authenticated admin accounts reviewing platform-wide flows
  • Automated CI/CD pipelines that trigger and poll multiple Langflow flow results
  • Third-party integrations subscribed to multiple flow outputs via the API
  • Langflow's own UI performing paginated result loading across many flows

Other platforms for CVE-2026-55255

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Flow ID Discovery via /api/v1/responses

    Expected signal: 20 GET requests to /api/v1/responses/* within seconds, all from the same source IP and Authorization header, appearing in web/application access logs

  2. Test 2Targeted Cross-User Flow Access Using Known Flow ID

    Expected signal: Single authenticated GET request to /api/v1/responses/<victim_flow_id> returning HTTP 200 with flow response data belonging to a different user

  3. Test 3Scripted Flow Enumeration with Response Exfiltration

    Expected signal: 50 GET requests to /api/v1/responses/* within approximately 30 seconds, with a subset returning HTTP 200 and response bodies containing flow data; all from single source IP

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-55255 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0006Credential AccessTA0009Collection

Related Techniques

T1530Data from Cloud StorageT1078Valid AccountsT1083File and Directory Discovery

Same Tactic: Credential Access

Popular Detections