CVE-2025-34291
published 2025-12-05CVE-2025-34291: Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS…
PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-04
Exploited in the wild
EPSS
78.89%
99.5th percentile
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow | langflow | <= 1.6.9 | — |
| langflow | langflow | 0 – 1.6.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/api/v1/refresh
url/api/v1/validate/code
otherAccess-Control-Allow-Origin: https://scanme.sh
otherAccess-Control-Allow-Credentials: true
sigma
Nuclei template id: CVE-2025-34291 — OPTIONS /api/v1/refresh with Origin header and matching Access-Control-Allow-Origin + Access-Control-Allow-Credentials: true response
- →Monitor for cross-origin credentialed POST requests to /api/v1/refresh from unexpected or external origins, which indicates token-theft exploitation in progress. ↗
- →Monitor for POST requests to /api/v1/validate/code from newly issued tokens or unfamiliar source IPs, as this is the code-execution endpoint leveraged after token theft. ↗
- →Use Shodan/FOFA queries to identify exposed Langflow instances as potential targets: Shodan html:"Langflow", FOFA body="Langflow".
- →CVE-2025-34291 has been weaponized by the Iranian state-sponsored group MuddyWater for initial access; treat any anomalous Langflow token refresh activity as high-priority triage. ↗
- →Exploitation impact extends beyond the Langflow instance itself — all access tokens and API keys stored in the workspace are exposed, potentially enabling cascading compromise of integrated downstream cloud/SaaS services. ↗
- ·The vulnerability requires allow_origins='*' combined with allow_credentials=True in the CORS configuration; both conditions must be present for the attack to succeed. ↗
- ·The exploit chain requires three combined weaknesses: overly permissive CORS, lack of CSRF protection, and a code-execution endpoint accessible by design — all present in Langflow ≤ 1.6.9. ↗
- ·Affected versions are Langflow up to and including 1.6.9; the fix is available in version 1.7.0 and later (confirmed patched in v1.9.3 per CISA notes).
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Langflow up to 1.6.9 Refresh Endpoint origin validation (EUVD-2025-201507)
vuldb·2026-05-21·CVSS 9.4
CVE-2025-34291 [CRITICAL] Langflow up to 1.6.9 Refresh Endpoint origin validation (EUVD-2025-201507)
A vulnerability was found in Langflow up to 1.6.9 and classified as critical. This affects an unknown part of the component Refresh Endpoint. Executing a manipulation can lead to origin validation error.
The identification of this vulnerability is CVE-2025-34291. The attack may be launched remotely. Furthermore, there is an exploit available.
OSV
Langflow CORS misconfiguration enables Account Takeover and RCE
osv·2025-12-06
CVE-2025-34291 [CRITICAL] Langflow CORS misconfiguration enables Account Takeover and RCE
Langflow CORS misconfiguration enables Account Takeover and RCE
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
GHSA
Langflow CORS misconfiguration enables Account Takeover and RCE
ghsa·2025-12-06
CVE-2025-34291 [CRITICAL] CWE-346 Langflow CORS misconfiguration enables Account Takeover and RCE
Langflow CORS misconfiguration enables Account Takeover and RCE
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
VulnCheck
langflow langflow Origin Validation Error
vulncheck·2025·CVSS 9.4
CVE-2025-34291 [CRITICAL] langflow langflow Origin Validation Error
langflow langflow Origin Validation Error
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
Affected: langflow langflow
Requi
CISA
Langflow Origin Validation Error Vulnerability
cisa·2026-05-21·CVSS 9.4
CVE-2025-34291 [CRITICAL] CWE-346 Langflow Origin Validation Error Vulnerability
Vulnerability: Langflow Origin Validation Error Vulnerability
Affected: Langflow Langflow
Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component,
No detection rules found.
Nuclei
Langflow AI <= 1.6.9 - CORS Misconfiguration
nuclei·CVSS 9.4
CVE-2025-34291 [CRITICAL] Langflow AI <= 1.6.9 - CORS Misconfiguration
Langflow AI <= 1.6.9 - CORS Misconfiguration
Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint.
Template:
id: CVE-2025-34291
info:
name: Langflow AI <= 1.6.9 - CORS Misconfiguration
author: 686f6c61
severity: critical
description: |
Langflow AI versions 1.6.9 and earlier are vulnerable to a CORS misconfiguration that allows any origin to make credentialed requests. Combined with SameSite=None cookies, this enables cross-origin token theft and subsequent remote code execution via the /api/v1/validate/code endpoint.
impact: |
An attacker can steal authenti
Hackernews
Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
blogs_hackernews·2026-06-10·CVSS 8.8
CVE-2026-5027 [HIGH] Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck.
The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the fi
Hackernews
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
blogs_hackernews·2026-05-22·CVSS 9.4
CVE-2025-34291 [CRITICAL] CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
The vulnerabilities in question are listed below -
CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could allow an attacker to execute arbitrary code and achieve full system compromise.
CVE-2026-34926 (CVSS score: 6.7) - A directory traversal vulnerability in on-prem
https://github.com/langflow-ai/langflowhttps://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platformhttps://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291https://www.crowdsec.net/vulntracking-report/cve-2025-34291
2025-12-05
Published
2026-05-21
Added to CISA KEV
Exploited in the wild