Threats / Langflow / CVE-2025-34291

CVE-2025-34291 · EUVD no mirror located · GCVE no mirror located Verified 2026-06-06

Langflow vulnerability

Langflow contains an origin validation error allowing cross-origin requests with credentials via permissive CORS and SameSite=None refresh token cookies, enabling token theft and arbitrary code execution.

Verdict

Today item — known-exploited.

An attacker can exploit overly permissive CORS configuration combined with insecure cookie settings to steal refresh tokens from a victim's browser, gain authenticated access to Langflow endpoints, and execute arbitrary code for full system compromise.

CISA KEV Yes · 2026-05-21³EPSS 0.32746 (verify live)⁴

Is it exploitable?

— the evidence, ranked above the score

Exploited in the wild

Listed in the CISA Known Exploited Vulnerabilities catalog (added 2026-05-21).

CISA KEV ↗Confirmed

Probability (EPSS)

EPSS 0.32746 — modeled likelihood of exploitation activity.EPSS is a daily-changing model output — open the source for today's value.

FIRST EPSS ↗High

Severity / affected

Affected: Langflow, Langflow. Confirm exact fixed builds in the vendor advisory.

NVD ↗Reported

Weakness (CWE)

Mapped to CWE-346 Origin Validation Error — weakness family: Cryptography.CWE assignment from the public NVD record; the weakness class drives how the flaw is exploited.

NVD ↗Reported

WeaknessCWE-346 · Origin Validation ErrorCryptography

Who’s exploiting it?

— attribution turns risk into urgency

Attribution not established

No threat-actor attribution is established from the public feed for this record. Absence of a named actor is not absence of compromise — see Coverage & confidence.

Why it matters

— the attack path, told twice: adversary, then board

Front door — unauthenticated access narrative 1

Attacker

I craft a malicious webpage and trick a Langflow user into visiting it while authenticated to their Langflow instance.

Business

User credentials and system access are compromised through client-side exploitation without direct authentication.

Keys to the kingdom — privilege/identity takeover narrative 2

Attacker

I use the malicious page to make cross-origin requests that include the victim's refresh token cookie, bypassing same-origin policy.

Business

Authentication tokens are exfiltrated, allowing unauthorized access to protected endpoints and user data.

Lateral reach — past segmentation narrative 3

Attacker

I obtain valid refresh tokens and use them to call authenticated endpoints, gaining the same privileges as the compromised user.

Business

Attacker gains persistent authenticated access to the Langflow instance with user-level or higher permissions.

Data at risk — exfiltration narrative 4

Attacker

I leverage authenticated access to execute arbitrary code through Langflow's available endpoints and functionality.

Business

Complete system compromise occurs, with attacker able to modify data, access sensitive information, or pivot to other systems.

What to do

— defensible action

Remediate per the vendor advisory — confirm the fixed build for your version and verify exposure.¹

Say it to the boardA vulnerability with this evidence profile is a defensible budget line, not a backlog ticket — fund the change against the proof above.

Coverage & confidence

— what we know, and what we don’t

Established (cited)

KEV listing (CISA)

EPSS probability (FIRST)

CWE weakness mapping (NVD)

Catalogued by VulnCheck (CNA)

Named finder/reporter credit (CVE.org)

Coverage gaps — stated, not hidden

No EUVD / GCVE mirror in feed — single-authority dependency for the identifier.

EPSS & exposure are time-varying; verify live at the source.

Threat-actor attribution not established from feed data — absence of a name is not absence of compromise.

Disclosure & credit²

Catalogued by VulnCheckCNA

Credited with finding itFenix Qiao (aka 13ph03nix) from Obsidian SecurityfinderShuyang Wang from Obsidian Securityfinder