CVE-2025-34291

What is Langflow?

Langflow is a popular open-source visual framework for building AI agent workflows and multi-agent pipelines. It provides a drag-and-drop interface for connecting large language models (LLMs), tools, vector databases, and custom Python components into automated flows. Organizations use Langflow to build RAG (Retrieval-Augmented Generation) pipelines, chatbots, and autonomous AI agents. Because Langflow deployments often have access to API keys for LLM providers (OpenAI, Anthropic, etc.), internal data sources, and external tools, and because Langflow includes a built-in endpoint for executing arbitrary Python code (used for custom component validation), a compromise of a Langflow instance can result in exposure of high-value API credentials and full system access under the service account running Langflow.

Overview

CVE-2025-34291 is an origin validation error in Langflow that chains three configuration weaknesses into a cross-origin account takeover leading to remote code execution. An attacker controls a malicious webpage; when a Langflow user visits it, the page silently makes a cross-origin request to the victim's Langflow instance that steals a valid access token — without requiring the user to click anything beyond visiting the page. With the token, the attacker calls Langflow's code execution endpoint to run arbitrary Python as the Langflow server process.

Discovered by researchers Fenix Qiao and Shuyang Wang of Obsidian Security and publicly disclosed on December 5, 2025. Active exploitation was confirmed by CrowdSec beginning January 23, 2026. CISA added it to KEV on May 21, 2026. The recommended fix is upgrading to Langflow v1.9.3.

Affected Versions

Technical Details

CWE-346 (Origin Validation Error). The vulnerability is a three-component chain in Langflow's default configuration:

1. Overly permissive CORS: Langflow's default CORS configuration allows all origins (allow_origins='*') while also permitting credentials. The combination of wildcard origin with credentials — which browsers normally reject — was handled permissively by Langflow's FastAPI/Starlette configuration, allowing cross-origin credentialed requests to succeed.

2. SameSite=None on the refresh token cookie: The refresh_token_lf cookie was set with SameSite=None; Secure, which causes browsers to include it automatically on cross-origin requests. This was intended to support legitimate cross-site embedding use cases but makes the cookie available to any cross-origin attacker.

3. No CSRF protection on /api/v1/refresh: The token refresh endpoint authenticates using only the cookie and performs no CSRF token validation or Origin header check. A cross-origin POST from any domain with the victim's cookie attached succeeds and returns a fresh access_token and refresh_token pair to the attacker's JavaScript.

Attack flow:

1. Victim visits attacker-controlled webpage while logged into Langflow
2. Attacker's JavaScript fires a cross-origin POST to https://victim-langflow/api/v1/refresh — browser includes the refresh_token_lf cookie automatically
3. Langflow returns a fresh access token to the attacker's page
4. Attacker uses the access token to POST arbitrary Python to /api/v1/validate/code — Langflow's built-in code execution endpoint for validating custom components
5. Arbitrary Python executes as the Langflow server process, achieving full system compromise and access to all stored API keys and secrets

The /api/v1/validate/code endpoint exists to support Langflow's visual editor feature for writing custom Python components and is legitimately needed — but it executes real Python, making it an RCE vector once an attacker has a valid token. This endpoint was separately exploited in earlier campaigns via CVE-2025-3248 (pre-auth RCE in older Langflow versions, exploited by the Flodric botnet).

Discovery

Discovered by Fenix Qiao (handle: 13ph03nix) and Shuyang Wang of Obsidian Security. Reported to Langflow via GitHub security issue and HackerOne on July 29, 2025. CVE assigned October 23, 2025. Public disclosure with full technical write-up published by Obsidian Security on December 5, 2025.

Exploitation Context

Active exploitation was observed by CrowdSec beginning January 23, 2026 — approximately seven weeks after public disclosure. CrowdSec described the campaign as "probably being orchestrated at a professional scale" and noted that attack traffic originated from residential IP ranges, consistent with use of victim machines (or residential proxy networks) as the cross-origin attack origin. No specific threat actor has been named.

Langflow has been a sustained target for attackers since mid-2025. CVE-2025-3248 (a separate pre-auth RCE in /api/v1/validate/code in Langflow < 1.3.0) was exploited by the Flodric botnet beginning in June 2025, with Trend Micro documenting the campaign. A third CVE (CVE-2026-33017) affecting Langflow was also being tracked by runZero in 2026, indicating continued attacker investment in the Langflow ecosystem.

The high-value nature of Langflow deployments — API keys for OpenAI, Anthropic, and other providers; connections to internal databases; autonomous agent credentials — makes them attractive targets beyond simple shell access.

Remediation

1. Upgrade to Langflow v1.9.3 or later — this is the fully hardened version with corrected CORS defaults, SameSite=Lax on the refresh cookie, and additional SSRF protections.
2. For versions 1.6.0–1.8.x: Set LANGFLOW_CORS_ORIGINS environment variable to an explicit allowlist of permitted origins (e.g., LANGFLOW_CORS_ORIGINS=https://your-langflow-domain.com) rather than the wildcard default. Also set LANGFLOW_REFRESH_SAME_SITE=lax to harden the refresh cookie.
3. Do not expose Langflow directly to the internet without authentication — place it behind a reverse proxy with strong authentication (SSO/MFA) and restrict access to known-good networks.
4. Rotate all API keys stored in Langflow (OpenAI, Anthropic, vector database credentials, etc.) if the instance was potentially accessible from the internet between December 2025 and the time of remediation.
5. Review Langflow server logs for unexpected calls to /api/v1/refresh or /api/v1/validate/code from unknown IP addresses or at unusual times as indicators of exploitation.
6. Also patch CVE-2025-3248 if running Langflow < 1.3.0 — the Flodric botnet actively exploited that pre-auth RCE and unpatched instances may already be compromised.