Virtual Round Table · Jul 22

Save your seat
CISA Flags a Langflow Bypass and Two Joomla RCEs, and the AI Platform Is the One to Watch
Cybersecurity

CISA Flags a Langflow Bypass and Two Joomla RCEs, and the AI Platform Is the One to Watch

CISA added three exploited flaws to its KEV catalog on July 7: two CVSS 10.0 Joomla file-upload RCEs and a cross-tenant IDOR in the AI builder Langflow that hands attackers other tenants' flows and keys.

PublishedJuly 9, 2026
Read time5 min read
Share

CISA Adds Three, and One of Them Is an AI Platform

On July 7, CISA added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog and gave federal agencies until July 10 to patch. Two are maximum-severity file upload flaws in Joomla page builders. The third, and the one we think deserves the most attention from enterprise architects, is CVE-2026-55255, an authorization bypass in Langflow. Langflow is a popular low-code platform for building AI and large language model applications, which makes it a fast-growing category of internet-exposed infrastructure that most security teams have never inventoried.

The Langflow flaw is a cross-tenant insecure direct object reference, or IDOR, in the words of researchers at Sysdig. It carries a comparatively modest CVSS score of 6.1, but the number undersells the impact. An authenticated attacker can execute flows belonging to other users simply by specifying the victim's flow ID in a request. On a multi-tenant AI platform, a flow is not just a workflow, it is a bundle of prompts, logic and, critically, the API keys and credentials that the flow uses to reach models, databases and downstream services.

A Lone Operator Was Already Inside

This was not a theoretical finding sitting in a disclosure queue. According to Sysdig, a lone operator using IP address 45.207.216.55 weaponized the Langflow flaw between June 22 and June 25, targeting internet-exposed Langflow instances. The attack chain followed a familiar shape: reconnaissance, enumeration of accessible flows, and deployment of second-stage downloaders that pulled botnet and cryptojacking payloads onto the hosts. It is a reminder that AI tooling is now firmly on the menu for commodity crimeware, not just sophisticated nation-state operations.

Sysdig framed the dual nature of the exposure neatly: 'The RCE went after the host, while the IDOR went after other tenants' flows and their keys.' That single sentence captures why AI platforms are such attractive targets. A remote code execution bug gives you the server, but the authorization bypass gives you something arguably more valuable, the accumulated secrets of every tenant using the platform. In an enterprise that has quietly stood up Langflow to prototype agents, that could mean the keys to production model endpoints and the data pipelines behind them.

The Joomla Flaws Are Textbook, and Worse

The two Joomla vulnerabilities are more conventional but arguably more dangerous in raw terms, both rated CVSS 10.0. CVE-2026-56290 affects Joomla Page Builder CK. It is an improper access control flaw that enables remote code execution through unauthenticated arbitrary file upload, and web shells were already being deployed as of June 27. Researchers identified one shell planted at /media/com_pagebuilderck/gfonts/bhup.php, keyed on a POST parameter named _upl. The fix arrives in version 3.6.0.

CVE-2026-48908 hits SP Page Builder with an unrestricted file upload flaw that lets unauthenticated users upload arbitrary files and achieve PHP code execution. It was exploited as a zero-day through an HTTP POST to the asset.uploadCustomIcon endpoint, and attackers used it to create unauthorized Super User accounts, effectively minting themselves administrators of the target site. The patched line is 6.6.2 and later. Both flaws follow the oldest web attack pattern in the book, and both were live in the wild before they were cataloged.

Why the AI Angle Changes the Risk Calculus

We keep returning to the Langflow entry because it signals a shift that CISOs need to plan for. The rush to build AI agents and LLM-powered internal tools has produced a wave of new low-code platforms that get deployed by data science and product teams, often outside the change-management processes that govern traditional applications. These platforms concentrate credentials by design, because an AI flow is only useful when it can authenticate to models and data. That concentration is exactly what makes an authorization bypass so costly.

A CVSS 6.1 does not sound like an emergency, and that is the danger. The score reflects the mechanics of the flaw, not the sensitivity of what sits behind it. When the affected system is a multi-tenant AI builder holding every team's model keys, a mid-range IDOR can be a bigger breach than a 10.0 on a static marketing site. Enterprises should stop treating AI development platforms as experimental toys and start treating them as credential vaults that happen to have a chat interface.

The Uncomfortable Common Thread

Three vulnerabilities, three different technologies, one shared timeline: all of them were being exploited in the wild days or weeks before CISA formalized the entry. The catalog is a lagging indicator by design, which means the July 10 federal deadline is really a floor, not a target. If you run Langflow, Joomla Page Builder CK or SP Page Builder anywhere with internet exposure, the operational assumption should be that opportunistic actors have already scanned for you.

For technology executives, the actionable lesson is inventory discipline across two blind spots at once. The Joomla flaws expose the long tail of content management systems that marketing and web teams stand up and forget. The Langflow flaw exposes the brand-new sprawl of AI tooling that innovation teams stand up and celebrate. Both live outside the core application security program in most organizations, and both are now confirmed entry points. Closing them starts with the unglamorous work of finding out what you actually run.

Tagged#news#security#cybersecurity#cisa#ai-security#zero-day