Skip to content
hacker_posts

CISA flags Langflow CVE-2025-34291: CORS chain yields RCE

CISA added CVE-2025-34291 to the KEV catalog on May 21. An overly permissive CORS plus a misconfigured refresh-token cookie chain to account takeover and code execution in Langflow ≤ 1.6.9.

Published 4 min read
cvelangflowcisakevrce

CISA added CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 21, 2026, citing evidence of active exploitation. The flaw affects Langflow, the open-source visual builder for LLM applications. CVSS v4.0 is 9.4 (Critical). Federal civilian agencies must remediate by June 4, 2026 under BOD 22-01.

The bug is an origin validation error caused by an overly permissive CORS configuration. Combined with a refresh-token cookie set with SameSite=None, a malicious site can issue authenticated cross-origin requests against a Langflow instance the victim is logged into — and Langflow exposes endpoints that execute code by design. The result is account takeover and remote code execution from a single page-load.

Affected versions

The CVE record lists Langflow versions 0 through 1.6.9 inclusive as vulnerable. Self-hosted deployments running anything in that range and reachable from a browser context — meaning an authenticated user could be lured to a malicious page — should be treated as exposed until proven otherwise.

The vulnerability was assigned by VulnCheck and disclosed by Fenix Qiao and Shuyang Wang of Obsidian Security.

What the exploit chains together

Three weaknesses overlap to produce the worst-case path:

  1. CORS is configured to accept arbitrary origins.
  2. The refresh-token cookie uses SameSite=None, so the browser ships it on cross-site requests.
  3. Langflow exposes endpoints that execute arbitrary code as a documented feature of the workflow builder.

With (1) and (2), an attacker page can hit Langflow's API as the victim. With (3), the request can carry a code-execution payload. There's no CSRF token in the path that matters here. The "exploit" is one page in a tab.

Exploitation status

CISA's KEV addition is by definition a statement of in-the-wild exploitation. The agency does not name the attacker or the targeted sector. Public exploit and PoC material for CORS-plus-code-endpoint Langflow chains has been circulating since late 2025 — this is not a one-day bug, it's a long-tail one finally catching up to operators.

Action checklist

  1. Identify Langflow instances in your estate — production, staging, and any "experimental" deployments standing up agentic workflows for internal teams. The Langflow demo culture means there are usually more than the official inventory shows.
  2. Upgrade to a patched release. Anything ≤ 1.6.9 is exposed; pull the latest 1.x release with the CORS fix applied, or — if a vendor patch path isn't available for your install — pin the deployment behind a reverse proxy that enforces a strict allowlist of origins.
  3. Rotate active sessions and refresh tokens for any Langflow instance that was internet-reachable. If an attacker already grabbed a refresh token, patching the CORS won't evict them.
  4. Audit Langflow custom code endpoints for anything an attacker could have left behind: scheduled flows, new accounts, modified integrations to external systems (databases, mail providers, vector stores). Treat any Langflow host as compromise-suspect if logs aren't clean for the past 30 days.
  5. Federal agencies: BOD 22-01 deadline is June 4. Document remediation per CISA's standard reporting flow.

Context

Langflow is one of a cluster of LLM-orchestration tools that grew up assuming a single-tenant, trusted-browser model and got pushed into multi-tenant cloud and shared-infra deployments before the security model caught up. Code-execution-as-a-feature endpoints are common across this category — n8n, Flowise, Langflow, several agent platforms — and a permissive CORS turns "feature" into "RCE via bookmark click." Expect CISA to add more.

The Langflow KEV listing landed alongside CVE-2026-34926 (Trend Micro Apex One) on the same day. Two unrelated bugs, one common pattern: legitimate management surfaces with a missing browser-side guardrail. If your inventory includes anything that looks like a Langflow — a low-code workflow runner reachable from operator browsers — assume the same class of bug exists and audit your own CORS posture this week.

Full KEV listing: cisa.gov/known-exploited-vulnerabilities-catalog.

Related stories