[CDP-development] TLP:Green (Vulnerability Alert Notification) CVE-2025-34291: Langflow Origin Validation Error Vulnerability

Thu May 21 14:04:53 PDT 2026

 Good afternoon,

The State of Oregon SOC Services team is reporting on the vulnerability CVE-2025-34291: Langflow Origin Validation Error Vulnerability, affecting Cross-Origin / Remote Internal System Access. Because of active exploitation in the wild confirmed by threat intelligence feeds, targeting exposed enterprise AI pipeline orchestrators to compromise upstream cloud environments and sensitive integrated API tokens, we are providing this in-depth information.

History: This vulnerability was publicly disclosed and detailed on December 5, 2025 by researchers at Obsidian Security. The CVSS v3.x base score is 8.8 (HIGH) as assigned by VulnCheck.
Affected Versions

  *   Langflow versions up to and including 1.6.9

Fixed Versions

  *   Langflow version 1.7.0 and later

Langflow is a modular, low-code visual framework built on Python and FastAPI, designed for assembling multi-agent AI platforms, advanced Retrieval-Augmented Generation (RAG) applications, and large language model pipelines.

Vendor Advisory: Langflow Open-Source Repository Release Notes & Security Commit Updates<https://github.com/langflow-ai/langflow>

Intelligence: On May 21, 2026, CISA has listed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: Required
Remotely Exploitable: Yes
Proof of Concept: Publicly Available
Zero Day: No

Workarounds: Harden configurations by overriding environment variables: set LANGFLOW_CORS_ALLOW_CREDENTIALS to False to completely block authenticated cross-site resource delivery; Explicitly restrict cross-origin request definitions by modifying LANGFLOW_CORS_ORIGINS to an explicit array of fully verified, trusted internal hosts instead of using default configurations; Enforce zero-trust architectures or isolate the Langflow administration dashboard strictly behind an authenticated VPN or zero-trust network access barrier
How it Works: The exploit chain exploits two deeply connected session management and request routing errors. First, the application framework relies on a highly permissive Cross-Origin Resource Sharing policy where allow_origins is configured as an unmitigated wildcard asterisk (*) while explicitly permitting allow_credentials=True. Second, the platform handles authentication tracking by writing a session refresh token cookie marked with a SameSite=None attribute, forcing modern user browsers to forward it during third-party request context switches. When an authenticated platform administrator visits a malicious or hijacked external webpage, attacker-controlled JavaScript executes an asynchronous cross-origin API call targeting the local or internal Langflow authentication refresh endpoint (/api/v1/refresh). Because of the SameSite configuration, the browser implicitly passes along the administrator's legitimate session cookie. Langflow receives the valid cookie, verifies it against the permissive CORS policy, and delivers fresh access and refresh token pairs back to the attacker-controlled origin. The attacker then extracts these active authorization tokens to call the platform's native runtime validation API endpoint (/api/v1/validate/code), which executes arbitrary Python commands natively to gain a persistent interactive terminal shell on the underlying host system
Post-Exploit Impact:

  *   Account Takeover via Session Token Hijacking (CWE-346: Origin Validation Error)
  *   Remote Code Execution via Native Python Code Execution APIs (CWE-94: Improper Control of Generation of Code (Code Injection))

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
HTTP Request Pattern
Anomalous POST or GET traffic targeting /api/v1/refresh followed rapidly by code execution payload structures at /api/v1/validate/code
Anomalous authorization sequence wherein single authorization tokens are refreshed and immediately leveraged across radically disparate geographic regions or residential IP ranges within compressed time windows
CrowdSec Intelligence Network / SentinelOne Deployment Labs
Tenable Plugins: As of May 21, 2026, Tenable has not provided plugins for this vulnerability and there are no plugins currently in the plugin pipeline.
Recommended Actions:

Date Added to KEV Catalog: 05/21/2026
Due Date for Remediation: 06/04/2026

  *   Upgrade all production and development deployments of Langflow to version 1.7.0 or greater immediately
  *   Audit all deployment logs for unauthorized connections, looking closely for downstream third-party cloud keys or API access tokens that may have been compromised out of the Langflow environment workspace storage during exploitation
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image004.png at 01DCE929.969C5130] [cid:image003.png at 01DCE929.969C5130]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260521/834d01eb/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 32625 bytes
Desc: image003.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260521/834d01eb/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 280765 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260521/834d01eb/attachment-0003.png>