Cyber Resilience

CVE-2025-34291

CriticalCISA KEVActive ExploitationPublic PoCUpdated

Published: 05 December 2025

Published
05 December 2025
Modified
21 May 2026
KEV Added
21 May 2026
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.3478 97.1th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-34291 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Langflow Langflow. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Deeper analysis

Langflow versions up to and including 1.6.9 contain a chained vulnerability stemming from an overly permissive CORS policy that sets allow_origins to wildcard while also enabling allow_credentials, paired with a refresh token cookie configured as SameSite=None. This combination is tracked under CWE-346 and carries a CVSS 4.0 score of 9.4.

An attacker who can lure a victim to a malicious webpage can issue cross-origin requests that include credentials, invoke the refresh endpoint, and obtain fresh access and refresh token pairs. With those tokens the attacker gains access to authenticated endpoints, including Langflow’s built-in code-execution functionality, resulting in arbitrary code execution and full system compromise.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog and has been analyzed in public reports from Obsidian Security and VulnCheck. Its EPSS score has remained elevated, reaching a peak of 0.3538 and currently sitting at 0.3275, indicating sustained exploitation interest since disclosure. Langflow is an AI-agent workflow platform, making the remote-code-execution path particularly concerning for organizations running unpatched instances.

EU & UK References

Vulnerability details

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage…

more

to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

CWE(s)
KEV Date Added
21 May 2026

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via phishing-delivered malicious webpage (T1566.002) to steal application access/refresh tokens (T1528), leading to account takeover and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33017Same product: Langflow Langflowboth on KEV
CVE-2026-7524Same product: Langflow Langflow
CVE-2026-0770Same product: Langflow Langflow
CVE-2026-0768Same product: Langflow Langflow
CVE-2026-7528Same product: Langflow Langflow
CVE-2026-0769Same product: Langflow Langflow
CVE-2026-3357Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow

Affected Assets

langflow
langflow
≤ 1.6.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires establishment of secure configuration settings for web applications, directly mitigating the permissive CORS (allow_origins='*') and unsafe SameSite=None cookie configurations exploited in this CVE.

prevent

Mandates timely flaw remediation including patching Langflow to versions beyond 1.6.9, eliminating the chained vulnerability enabling token theft and RCE.

preventdetect

Enforces boundary protections such as web application firewalls or proxies to monitor and restrict unauthorized cross-origin credentialed requests to the refresh endpoint.

References