A chained origin-validation flaw in Langflow versions through 1.6.9 lets a malicious webpage hijack victim session tokens and pivot to full remote code execution, and CISA added it to the KEV catalog on 2026-05-21.
What Is It
CVE-2025-34291 is an origin validation error (CWE-346) in Langflow, an open-source platform for building AI agent workflows. The application ships with an overly permissive CORS configuration, allow_origins='*' combined with allow_credentials=True, while its refresh token cookie is set to SameSite=None. The combination lets an attacker-controlled origin issue cross-origin requests with credentials and successfully call the refresh endpoint, returning fresh access_token and refresh_token pairs scoped to the victim's session.
Why It Matters
Once an attacker holds valid tokens, they can reach authenticated endpoints, including Langflow's built-in code-execution functionality, and run arbitrary code on the host. That yields full system compromise from nothing more than a victim visiting a malicious page while logged in. NVD scores the bug 8.8 (HIGH) under CVSS 3.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H); VulnCheck's CVSS 4.0 secondary score puts it at 9.4 (CRITICAL). CISA's KEV listing on 2026-05-21 confirms active exploitation in the wild, with ransomware campaign use currently listed as Unknown.
What's Vulnerable
- Product: Langflow (langflow-ai/langflow)
- Affected versions: all releases up to and including 1.6.9 (CPE
cpe:2.3:a:langflow:langflow:*) - Weakness: CWE-346; Origin Validation Error
- Attack profile: network-reachable Langflow instance, victim with an authenticated session visiting attacker-controlled web content
Patch Status
Langflow addressed the issue in release v1.9.3. CISA's required action is to apply mitigations per vendor instructions, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. Federal civilian agencies have a remediation due date of 2026-06-04. Operators running 1.6.9 or earlier should upgrade immediately and audit for any issued refresh tokens that may have been hijacked prior to patching.