News

Langflow CVE-2025-34291: CISA Adds Critical AI Workflow RCE Chain to KEV

nul-l

3 min read
Langflow CVE-2025-34291: CISA Adds Critical AI Workflow RCE Chain to KEV

What Happened

CISA added CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 21, 2026, with a remediation due date of June 4, 2026. The flaw affects Langflow, an open-source AI agent and workflow platform. NVD describes it as a chained vulnerability in Langflow versions up to and including 1.6.9 that can lead to account takeover and remote code execution.

Why It Matters

Langflow often stores API keys, model credentials, SaaS tokens, database connectors, and workflow secrets. A compromise is not just “access to an AI tool”; it can become access to whatever the AI workflow can reach.

The vulnerable chain combines:

  • overly permissive CORS
  • credentialed cross-origin requests
  • weak refresh-token cookie behavior
  • authenticated access to code-execution functionality

GitHub’s advisory states that an attacker-controlled origin can obtain fresh access and refresh token pairs for a victim session, then use authenticated endpoints, including built-in code-execution functionality.

Technical Details

The core issue is an origin validation error. Langflow allowed cross-origin requests with credentials from arbitrary origins while refresh tokens were configured in a way that allowed browser-assisted abuse.

NVD summarizes the chain as:

allow_origins='*'
allow_credentials=True
SameSite=None refresh token cookie
cross-origin credentialed request to refresh endpoint
token theft
authenticated endpoint access
remote code execution

The CVE has a CVSS v4.0 score of 9.4 Critical from the CNA, with network attack vector, low complexity, no privileges required, and passive user interaction.

Potential Impact

A successful attack may allow:

  • takeover of a valid Langflow user session
  • access to stored flows, credentials, and integrations
  • arbitrary code execution on the Langflow host
  • compromise of downstream cloud, SaaS, database, or internal services
  • lateral movement from an exposed AI workflow server

This is especially risky for self-hosted Langflow instances exposed through public reverse proxies, Docker deployments, cloud VMs, or internal developer platforms.

Who Is Affected

Affected:

Langflow <= 1.6.9

NVD lists Langflow versions up to and including 1.6.9 as vulnerable.

Defensive Recommendations

Upgrade Langflow immediately. CISA’s required action is to apply vendor mitigations, follow BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

Practical operator checklist:

# Check installed package version
pip show langflow

# If running via container
docker ps | grep -i langflow
docker image ls | grep -i langflow

Then:

# Upgrade Python package deployment
pip install --upgrade langflow

For Docker deployments, rebuild or pull the updated image according to your deployment method.

Also review:

  • public exposure of Langflow
  • reverse proxy auth controls
  • stored API keys and secrets
  • recent suspicious workflow execution
  • unexpected outbound connections
  • Langflow logs around token refresh activity
  • browser-origin anomalies in access logs

Hardening Notes

Do not expose Langflow directly to the internet without an access layer.

Recommended controls:

VPN / Tailscale / Zero Trust proxy
SSO in front of Langflow
strict allowed origins
no wildcard credentialed CORS
short-lived sessions
secret rotation after patching
container isolation
egress filtering

For Docker Compose deployments, avoid binding Langflow broadly unless required:

ports:
  - "127.0.0.1:7860:7860"

Place authentication and TLS termination in front of it with a reverse proxy or access gateway.

Detection Ideas

Look for:

unexpected POST requests to refresh endpoints
Origin headers from unknown domains
new access tokens issued after suspicious cross-origin traffic
workflow/code execution shortly after token refresh
unexpected outbound traffic from Langflow containers
new or modified flows
access from unusual IPs or user agents

On Linux hosts:

docker logs <langflow_container> --since 72h
journalctl -u langflow --since "72 hours ago"
ss -tulpn

Realistic Risk Assessment

This is not a generic web bug. The risk comes from where Langflow sits: between users, workflows, models, API tokens, and internal services.

For exposed or lightly protected instances, treat this as high priority. Patch, rotate secrets, and review logs. For internal-only deployments behind strong access controls, the exposure is reduced, but still worth remediating quickly because exploitation can be browser-mediated and session-based.