CVE-2026-55255 is a CISA KEV-listed IDOR in Langflow’s /api/v1/responses endpoint allowing any authenticated user to execute other users’ AI flows without authorization. Active exploitation is confirmed by both CISA KEV and VulnCheck; organizations running Langflow below version 1.9.2 are actively targeted.