The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Langflow — a widely adopted open-source platform for building AI-driven workflows — to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild and mandating immediate remediation for all federal agencies.
Tracked as CVE-2025-34291, the flaw was added to the KEV catalog on May 21, 2026, and stems from a misconfigured Cross-Origin Resource Sharing (CORS) policy combined with a dangerous cookie configuration — a combination that can give attackers full, silent access to a victim’s authenticated Langflow session.
Understanding the Vulnerability
The flaw is categorized as a CWE-346 Origin Validation Error. Langflow’s overly permissive CORS configuration, when combined with a session refresh token cookie set to SameSite=None, allows malicious websites to perform authenticated cross-origin requests on behalf of a logged-in user — without the user’s awareness or consent.
In practice, the attack chain unfolds as follows:
- An attacker creates or compromises a malicious webpage
- A victim who is currently authenticated to Langflow visits this page
- Because of the flawed CORS configuration, the victim’s browser automatically includes authentication credentials in cross-origin requests sent to the Langflow backend
- The attacker can silently interact with Langflow’s API, particularly the refresh token endpoint
- Once refresh tokens are obtained, the attacker can generate new access tokens, maintain persistent access, and interact with all authenticated endpoints
Why This Is Especially Dangerous for AI Deployments
Langflow is not a generic web application — it is a framework specifically designed to connect and orchestrate AI workflows, APIs, language models, and cloud services. Organizations often use it to build production pipelines involving sensitive data, business logic, and external integrations.
This means a successful exploitation of CVE-2025-34291 can give attackers access to much more than a single account. Depending on the Langflow deployment, attackers could:
- Access and exfiltrate data processed by AI pipelines
- Manipulate workflow logic or inject malicious instructions into automated processes
- Escalate privileges within connected cloud environments
- Pivot to integrated systems including databases, APIs, and third-party services
- Achieve full system compromise in environments where Langflow runs with elevated permissions
CISA Mandatory Remediation Deadline
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the mandated due date. Non-federal organizations are also strongly encouraged to treat this as a high-priority remediation given confirmed exploitation activity in the wild.
Recommended Mitigations
CISA and security researchers strongly advise organizations using Langflow to take the following immediate actions:
- Apply vendor patches immediately — update to the latest version of Langflow that addresses CVE-2025-34291
- Restrict CORS configurations — review and limit allowed origins to explicitly trusted domains only; never use wildcard (*) CORS policies in production
- Reconfigure sensitive cookies — avoid using
SameSite=Nonefor authentication tokens and refresh cookies unless strictly necessary - Implement CSRF protections — add CSRF tokens and enforce strict origin validation on all state-changing API endpoints
- Monitor for suspicious activity — review logs for unusual cross-origin requests, unexpected token refreshes, or anomalous API access patterns
- Isolate or disable Langflow — if patches are unavailable or mitigations cannot be applied, CISA recommends discontinuing use of the affected Langflow instance
Broader Implications for AI Platform Security
The addition of CVE-2025-34291 to the KEV catalog is a significant signal: as AI platforms like Langflow become deeply embedded in enterprise workflows, they become high-value targets for attackers. Unlike traditional web applications, compromised AI orchestration platforms can provide attackers with access to entire data pipelines and automated business processes.
Security teams should audit all AI tooling in their environment for similar misconfigurations — particularly around CORS policies, cookie security attributes, and API authentication flows. Organizations that have not yet deployed enterprise controls around their AI workflow tools should treat this as an urgent wake-up call.
The vulnerability underscores that security fundamentals — proper origin validation, secure cookie attributes, and API authentication hygiene — remain critical even for cutting-edge AI infrastructure.
Source: Cyber Security News, May 22, 2026