Langflow CVE-2025-34291 CSRF RCE Active Exploitation
One Click to Full AI Compromise
CVE-2025-34291 isn’t another theoretical RCE. It’s a chained attack against Langflow — the open-source AI agent framework with 140,000+ GitHub stars — that turns a victim’s browser into a weapon against their own organization. A user visits a malicious page. Their browser silently forwards authentication tokens cross-origin. The attacker obtains a fresh JWT, hits the code validation endpoint, and gets full remote code execution on the Langflow instance. Every API key and access token stored in that workspace — for OpenAI, AWS, Slack, Salesforce — is now compromised. Obsidian Security disclosed the vulnerability on December 5, 2025. CrowdSec confirmed active exploitation starting January 23, 2026. CISA added it to the KEV catalog on May 21, 2026.
The Three-Legged Attack Chain
This exploit works because three independent misconfigurations chain together into a single devastating attack. Each one looks manageable in isolation. Together, they’re catastrophic.
Flaw 1 — CORS set to allow everything with credentials. Langflow’s default FastAPI middleware configuration uses allow_origins=["*"] combined with allow_credentials=True. This is the CORS equivalent of leaving the front door open with a sign that says “please come in.” Any origin can make authenticated cross-origin requests to the Langflow instance. The fix was available since version 0.6.0 via the LANGFLOW_CORS_ORIGINS environment variable, but the default remained permissive through version 1.6.9.
Flaw 2 — Refresh token cookie configured for cross-site delivery. The refresh_token_lf cookie is set with SameSite=None; Secure and remains valid for up to seven days. The /api/v1/refresh endpoint relies solely on this cookie for authentication — no CSRF token, no secondary validation. An attacker-controlled domain can trigger a cross-origin POST to this endpoint and receive a fresh access token in the response, enabled by the permissive CORS headers. Snyk rates this as critical (CVSS 9.4) with EPSS at the 97th percentile.
Flaw 3 — Code execution endpoint by design. The /api/v1/validate/code endpoint parses and executes Python code. After CVE-2025-3248 forced the addition of authentication, it now requires a valid JWT or API key. But once the attacker has a valid token from the CSRF chain above, this endpoint becomes a direct path to arbitrary code execution with zero sandboxing. exec() on user-supplied Python, on a server full of API credentials.
The Predecessor: CVE-2025-3248
To understand why CVE-2025-34291 matters, you need the context of its predecessor. CVE-2025-3248 was an unauthenticated RCE in Langflow versions before 1.3.0 — same /api/v1/validate/code endpoint, but without any authentication at all. A community member reported the underlying issue in July 2023. It took 19 months and a second independent discovery by Horizon3.ai before Langflow added authentication to the endpoint in March 2025.
That patch created the conditions for CVE-2025-34291. By requiring authentication on the code execution endpoint, the developers shifted the attack surface from “unauthenticated RCE” to “authenticated RCE via CSRF.” The new vulnerability requires one user interaction — visiting a webpage — but the blast radius is arguably larger because it doesn’t just execute code. It steals every credential stored in the workspace, enabling lateral movement across every integrated SaaS and cloud service. Trend Micro documented active exploitation of CVE-2025-3248 to deliver the Flodrix botnet. The predecessor was already weaponized. The successor is now too.
Active Exploitation Confirmed
CrowdSec’s network telemetry detected exploitation of CVE-2025-34291 beginning January 23, 2026 — barely six weeks after disclosure. Their analysis characterizes the campaign as “probably being orchestrated at a professional scale.” A key forensic detail: all observed IPs originate from residential ranges, meaning they belong to victims whose browsers were hijacked, not to the attackers themselves. This makes attribution and scope estimation difficult.
The exploitation timeline is telling:
| Date | Event |
|---|---|
| December 5, 2025 | Obsidian Security discloses CVE-2025-34291 |
| January 16, 2026 | NIST publishes initial analysis (CVSS 8.8 v3.1) |
| January 23, 2026 | CrowdSec detects first exploitation in the wild |
| May 21, 2026 | CISA adds to Known Exploited Vulnerabilities catalog |
Five months from disclosure to KEV listing. For organizations still running Langflow 1.6.9 or earlier, the window has been wide open. The Hacker News reports that CISA’s addition requires federal agencies to remediate, but the risk extends far beyond government. Any organization using Langflow for internal AI tooling, workflow automation, or customer-facing applications is exposed.
Why AI Platforms Are Prime Targets
Langflow is an integration hub by design. Users connect OpenAI, Anthropic, AWS, Azure, GCP, Slack, Salesforce, and dozens of other services — storing API keys and OAuth tokens directly in the workspace. A single compromised Langflow instance can cascade into full supply chain compromise. The Obsidian Security report draws a direct parallel to the Salesloft-Drift/UNC6395 incident, where compromised OAuth tokens led to mass data exfiltration from approximately 700 Salesforce organizations, including Cloudflare, Zscaler, and Palo Alto Networks.
AI infrastructure is uniquely vulnerable because of how it’s built and deployed. The “move fast and break things” mentality that pervades AI development means security teams are often excluded from architecture decisions. Langflow itself was acquired by DataStax in April 2024, and DataStax is being acquired by IBM for its watsonx AI portfolio. Enterprise adoption is accelerating. The attack surface is expanding faster than the security posture can keep up.
The pattern is clear: AI agent frameworks concentrate credentials, lack mature security defaults, and get deployed with minimal hardening. They are the new high-value target, and threat actors are paying attention.
What To Do Right Now
If you’re running Langflow in any environment — development, staging, or production — take these actions in order of priority:
- Upgrade to Langflow 1.7 or later. The default configuration in 1.7 restricts CORS origins. This is the definitive fix. The latest release is available on GitHub.
- If you cannot upgrade immediately, harden your CORS configuration. Set
LANGFLOW_CORS_ALLOW_CREDENTIALS=False. If that breaks functionality, restrict origins viaLANGFLOW_CORS_ORIGINSto explicitly trusted domains only. Never leave it at the default*. - Audit stored credentials. Rotate every API key and access token that was configured in any Langflow workspace running version 1.6.9 or earlier. Assume they are compromised. This includes LLM provider keys, cloud provider credentials, and SaaS integration tokens.
- Check access logs for hits to
/api/v1/refreshfrom unexpected origins. The CSRF exploitation path leaves traces in server access logs. Look for POST requests to the refresh endpoint with Origin headers that don’t match your organization’s domains. - Deploy WAF or reverse proxy protections. Block cross-origin requests to authentication endpoints unless they originate from known, trusted domains. CrowdSec has published detection scenarios for this specific exploit pattern.
The Hard Lesson for AI Security
The intersection of AI and cybersecurity keeps producing the same class of vulnerabilities. CVE-2025-34291 isn’t just a Langflow problem. It’s a preview of what happens when the AI industry’s velocity collides with the fundamentals of web application security. Permissive CORS defaults, missing CSRF protections, and unsandboxed code execution are not novel vulnerabilities — they’re the same mistakes the web security community has been documenting for over a decade. The difference is scale and blast radius.
AI agent platforms are becoming the new control plane for enterprise operations. They hold credentials to every system they touch. They execute arbitrary code. They process sensitive data. And too many of them are deployed with the security posture of a weekend hackathon project. The 19-month gap between the first community report of a code execution flaw in Langflow and the initial patch tells you everything about where security ranks in the AI tooling ecosystem.
If your organization is building on AI agent frameworks — Langflow, AutoGPT, CrewAI, or any of the dozens of alternatives — apply the same scrutiny you would to any other credential-handling service. Audit CORS configurations. Enforce CSRF protections. Assume the credentials stored in these platforms are high-value targets, because they are. And plan for the next CVE, because it’s coming. Cookie-based authentication bypasses, like the PAN-OS forged cookie vulnerability, and credential theft via misconfigured platforms share the same root cause: trust placed in tokens without adequate origin validation.
References
- Obsidian Security — CVE-2025-34291: Critical Account Takeover & RCE in Langflow
- CrowdSec VulnTracking — CVE-2025-34291 Exploited in the Wild
- NVD — CVE-2025-34291 Detail
- Snyk — CVE-2025-34291: Origin Validation Error in langflow-base
- The Hacker News — CISA Adds Exploited Langflow and Trend Micro Vulnerabilities to KEV
- Trend Micro — Critical Langflow Vulnerability Actively Exploited to Deliver Flodrix Botnet
- Horizon3.ai — CVE-2025-3248: Langflow Unauth RCE
- CVE.org — CVE-2025-34291 Record