CISA adds exploited Langflow origin validation flaw to KEV catalog

CISA has added CVE-2025-34291, a critical Langflow origin validation vulnerability, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. Organizations using Langflow should treat the flaw as urgent because it can lead to account takeover, remote code execution, and full system compromise.

The NVD record for CVE-2025-34291 says affected Langflow versions up to and including 1.6.9 contain a chained vulnerability involving permissive CORS settings and refresh token cookie behavior. CISA added the flaw to the Known Exploited Vulnerabilities catalog on May 21, 2026.

The risk is serious because Langflow is used to build AI workflows, agents, and integrations. A compromised Langflow instance may expose access tokens, API keys, workflow data, connected services, and backend systems tied to AI automation pipelines.

What CVE-2025-34291 allows attackers to do

CVE-2025-34291 is not a simple single-step bug. It is a vulnerability chain that combines an overly permissive Cross-Origin Resource Sharing configuration, a refresh token cookie set with SameSite=None, and authenticated backend functionality that can lead to code execution.

The GitHub Advisory Database describes the issue as a Langflow CORS misconfiguration that enables account takeover and remote code execution. It lists affected versions as Langflow 1.6.9 and earlier.

In practical terms, an attacker can lure a logged-in Langflow user to a malicious webpage. The victim’s browser can then send credentialed cross-origin requests to the Langflow instance, allowing the attacker to obtain fresh access and refresh token pairs.

Item	Details
CVE	CVE-2025-34291
Product	Langflow
Vulnerability type	Origin validation error and CORS misconfiguration
CWE	CWE-346, Origin Validation Error
Affected versions	Langflow versions up to and including 1.6.9
CVSS v4 score	9.4, Critical
KEV date added	May 21, 2026
Federal remediation due date	June 4, 2026

How the Langflow attack chain works

The flaw starts with CORS. Langflow allowed credentialed requests from broad origins, which means a hostile website could interact with a victim’s Langflow session under the right conditions.

The second part involves the refresh token cookie. Obsidian Security found that the refresh_token_lf cookie used SameSite=None, making it available in cross-site contexts over HTTPS. The refresh endpoint also lacked the CSRF protection needed for this type of cookie-based flow.

The Obsidian Security analysis says an attacker-controlled site can call the refresh endpoint, obtain fresh tokens, and then use authenticated endpoints, including functionality that supports code execution.

Why this is dangerous for AI workflow systems

Langflow can store and process credentials for downstream tools. That may include API keys, database credentials, cloud service tokens, SaaS integrations, model provider keys, and workflow secrets.

If attackers compromise the Langflow instance, the damage may not stop at the application itself. They may be able to use stored credentials to reach connected services, copy data, alter workflows, or move deeper into cloud and SaaS environments.

This is why the flaw matters beyond ordinary web application security. AI workflow platforms can become integration hubs, and an attack on the hub may become an attack on every system connected to it.

CISA added the flaw after active exploitation

CISA’s KEV catalog focuses on vulnerabilities that have been exploited in the wild and create meaningful risk to federal networks. For Federal Civilian Executive Branch agencies, KEV entries create mandatory remediation timelines under Binding Operational Directive 22-01.

The CISA KEV entry gives agencies until June 4, 2026, to apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

Enterprise teams outside the federal government should use the KEV listing as a priority signal. Active exploitation means the vulnerability has moved from theoretical risk to operational attacker use.

Researchers warned about the chain months earlier

Security researchers documented the vulnerability chain in December 2025, before CISA added it to KEV. The research showed how several design choices combined into a severe session hijacking and RCE path.

The VulnCheck advisory assigns the flaw a CVSS v4 score of 9.4 and describes the affected state as Langflow 1.6.9 and earlier, with the default deployment remaining vulnerable.

That timeline shows why defenders should not wait for KEV inclusion before acting on critical AI platform vulnerabilities. Public research, exploitability, and sensitive credential storage can create risk long before a deadline appears.

What attackers can gain after exploitation

After obtaining valid token pairs, attackers can interact with authenticated Langflow endpoints as the victim. That can allow them to inspect flows, access stored values, execute code, and compromise the underlying system.

The blast radius depends on how the Langflow deployment is configured. A lightly used test instance may expose only local data, while a production workflow server may hold credentials for cloud storage, databases, AI model APIs, internal APIs, or customer systems.

• Fresh access and refresh tokens for a victim session.
• Authenticated access to Langflow API endpoints.
• Access to saved flows, workspace data, and variables.
• Potential access to API keys and service credentials.
• Remote code execution through built-in code-execution functionality.
• Possible compromise of connected downstream systems.

Why CORS and SameSite settings matter

CORS controls which websites can read responses from a web application. When an app allows broad origins and also allows credentials, browsers may help an attacker send authenticated requests from another site.

SameSite cookie settings control whether browsers include cookies in cross-site requests. SameSite=None can be valid for some cross-site deployments, but it needs stronger safeguards such as CSRF tokens, strict origin checks, and careful endpoint design.

The GitHub advisory says the dangerous combination allowed a malicious webpage to perform cross-origin requests with credentials and successfully call the refresh endpoint.

What administrators should do now

Administrators should first identify every Langflow deployment, including test systems, self-hosted instances, containerized deployments, cloud-hosted environments, and developer labs. AI tools often start as experiments and later gain sensitive integrations without formal inventory tracking.

Teams should then verify the Langflow version, review CORS settings, check cookie behavior, and apply vendor mitigation guidance. If they cannot validate a safe configuration, they should remove external exposure or take the system offline until it can be secured.

• Identify all Langflow instances across production, staging, development, and labs.
• Upgrade or move off Langflow versions up to and including 1.6.9 where possible.
• Restrict CORS allowed origins to trusted domains only.
• Do not allow wildcard origins with credentialed requests.
• Set refresh token cookies to SameSite=Lax or SameSite=Strict where deployment design allows it.
• Add CSRF protection if cross-site credentialed requests remain necessary.
• Restrict Langflow access through VPN, private networks, or zero-trust access controls.
• Rotate tokens and API keys stored in Langflow if exposure is suspected.

How to hunt for possible exploitation

Security teams should review Langflow logs, proxy logs, WAF telemetry, and identity events for suspicious refresh endpoint activity. Repeated cross-origin calls, unusual Referer or Origin headers, and token refreshes followed by code execution should receive priority.

The Obsidian research notes that the attack can originate from the victim’s browser, which means network logs may show requests from a legitimate user location rather than an obvious attacker server.

That makes behavioral context important. Teams should check whether a user session called sensitive endpoints after visiting unusual sites, whether new flows appeared, and whether code validation or execution endpoints ran unexpectedly.

Log source	What to check
Reverse proxy or WAF logs	Cross-origin requests to refresh and authenticated API endpoints.
Langflow application logs	Unexpected token refreshes, code execution, flow changes, and errors.
Identity logs	Unusual session activity after token refresh events.
Cloud logs	Use of API keys or secrets stored inside Langflow.
Endpoint logs	Unexpected processes or commands launched by the Langflow service user.

Why exposed Langflow instances need urgent review

Internet-exposed Langflow deployments face the highest risk, but internal deployments also need attention. Obsidian noted that a victim browser can reach non-public on-premises instances if the user has access to them.

This means an attacker does not always need direct network access to the Langflow server. A malicious page can use the victim’s browser as the bridge if the victim is logged in and can reach the internal service.

For that reason, organizations should not rely only on firewall exposure checks. They should also treat browser-accessible internal Langflow services as potentially reachable through this attack path.

What to do if compromise is suspected

If logs show suspicious refresh endpoint activity or unexpected code execution, teams should assume tokens and connected credentials may be exposed. The response should include both Langflow cleanup and downstream credential rotation.

The VulnCheck description makes clear that obtained tokens can permit access to authenticated endpoints, including built-in code-execution functionality. That level of access can support full system compromise.

• Take the affected Langflow instance offline or isolate it.
• Preserve application, proxy, and system logs before cleanup.
• Revoke active sessions and rotate Langflow secrets.
• Rotate API keys, database credentials, cloud tokens, and SaaS tokens stored in Langflow.
• Review flows for unauthorized changes or new components.
• Check the host for unexpected processes, files, and outbound connections.
• Rebuild from a clean baseline if remote code execution occurred.

The bigger lesson for AI platforms

CVE-2025-34291 highlights a broader issue in AI workflow platforms. These systems often connect to many services, handle sensitive tokens, and let users build automation with code-like behavior.

That power makes security boundaries critical. CORS, cookies, CSRF protections, authentication flows, and code-execution endpoints need to work together. A weakness in one layer can become severe when another layer trusts it.

The NVD entry and KEV listing show why security teams should inventory AI workflow tools with the same discipline used for VPN appliances, CI/CD systems, and cloud control planes.

The safest response is to find every Langflow deployment, fix affected versions or configurations, restrict access, rotate exposed secrets, and review logs for suspicious cross-origin token activity.

FAQ