Critical vulnerability in Langflow, an AI app-building tool (CVE-2025-34291) — bad CORS plus stolen tokens can lead to code execution
Langflow, a popular tool for visually building LLM/AI workflows, has an origin-validation error (an overly permissive CORS configuration combined with a refresh-token cookie set to SameSite=None) that lets a malicious webpage make credentialed cross-origin requests, steal tokens, and ultimately achieve code execution and full system compromise. CISA listed it as known-exploited (KEV) (CVSS 8.8 High).
Key facts
- CVE IDCVE-2025-34291
- CVSS base score8.8 HIGH
- CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Affected (vendor / product)Langflow Langflow
- CWECWE-346
- ExploitationListed in CISA KEV (exploitation confirmed)
- Remediation due2026-06-04 (U.S. federal civilian agencies, BOD 22-01)
Key points
- Origin-validation error (CWE-346) in Langflow (a popular OSS tool for building LLM/AI workflows in a GUI)
- Permissive CORS + a SameSite=None refresh-token cookie let a malicious page steal tokens
- Stolen tokens reach authenticated endpoints → arbitrary code execution / full system compromise
- Listed in CISA KEV = exploitation confirmed (CVSS 8.8 High / CWE-346)
- AI build tools are now a target. Response: mitigate/fix per vendor; discontinue use if not possible
CVE-2025-34291 is an origin-validation error (CWE-346) in Langflow (a popular open-source tool for visually building and running LLM and AI-agent workflows). It was added to CISA's KEV (Known Exploited Vulnerabilities) catalog on May 21, 2026.
Per NVD, the cause is the combination of (1) an overly permissive CORS (Cross-Origin Resource Sharing) configuration and (2) a refresh-token cookie set to SameSite=None. As a result, when a user opens a malicious webpage, that page can make a cross-origin request that includes the user's credentials (the cookie) and call Langflow's token-refresh endpoint. The attacker thereby obtains tokens that access authenticated endpoints, leading to arbitrary code execution and full system compromise.
What makes this important is that the target is a foundational tool for *building* AI applications. An AI development tool appearing in KEV as known-exploited shows that AI infrastructure (build/run platforms) is now a clear attack surface.
Key response: apply mitigations/fixes per the vendor (Langflow) instructions. For cloud use, follow BOD 22-01 guidance, and discontinue use if mitigations are unavailable. Internet-exposed Langflow is especially high priority. The federal civilian remediation deadline was June 4, 2026.
Why it matters
A case of an AI app-building tool entering KEV, showing that AI infrastructure itself is a target. Organizations using AI development tools like Langflow should check versions, review exposure, and inspect token/authentication settings.
FAQ
What is Langflow?
Why is it dangerous?
What should I do?
Sources (primary)
This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.
- CISA KEV Catalog (known exploited list)
- NVD (CVE details / CVSS)
- Vendor / reference advisory
- Vendor / reference advisory
- This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).