cbcvebase.
CVE-2025-34291
published 2025-12-05

CVE-2025-34291: Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS…

PriorityP193high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-04
Exploited in the wild
EPSS
78.89%
99.5th percentile
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

Affected

2 ranges
VendorProductVersion rangeFixed in
langflowlangflow<= 1.6.9
langflowlangflow0 – 1.6.9

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/refresh
url/api/v1/validate/code
cookieSameSite=None refresh token cookie
otherAccess-Control-Allow-Origin: https://scanme.sh
otherAccess-Control-Allow-Credentials: true
sigma
Nuclei template id: CVE-2025-34291 — OPTIONS /api/v1/refresh with Origin header and matching Access-Control-Allow-Origin + Access-Control-Allow-Credentials: true response
  • Monitor for cross-origin credentialed POST requests to /api/v1/refresh from unexpected or external origins, which indicates token-theft exploitation in progress.
  • Monitor for POST requests to /api/v1/validate/code from newly issued tokens or unfamiliar source IPs, as this is the code-execution endpoint leveraged after token theft.
  • Use Shodan/FOFA queries to identify exposed Langflow instances as potential targets: Shodan html:"Langflow", FOFA body="Langflow".
  • CVE-2025-34291 has been weaponized by the Iranian state-sponsored group MuddyWater for initial access; treat any anomalous Langflow token refresh activity as high-priority triage.
  • Exploitation impact extends beyond the Langflow instance itself — all access tokens and API keys stored in the workspace are exposed, potentially enabling cascading compromise of integrated downstream cloud/SaaS services.
  • ·The vulnerability requires allow_origins='*' combined with allow_credentials=True in the CORS configuration; both conditions must be present for the attack to succeed.
  • ·The exploit chain requires three combined weaknesses: overly permissive CORS, lack of CSRF protection, and a code-execution endpoint accessible by design — all present in Langflow ≤ 1.6.9.
  • ·Affected versions are Langflow up to and including 1.6.9; the fix is available in version 1.7.0 and later (confirmed patched in v1.9.3 per CISA notes).

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
cisa9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.