Langflow CVE-2025-34291: Token Hijack and RCE Added to CISA KEV

CISA added Langflow CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 21, 2026, giving teams until June 4 to apply mitigations or stop using vulnerable deployments [3]. This is not a simple “open admin panel” bug. It is a browser-to-application chain where a malicious webpage can abuse permissive CORS handling and refresh-token behavior to make credentialed cross-origin requests.

Obsidian Security described the issue in December 2025 as a critical account takeover path that can lead to remote code execution in the Langflow AI agent workflow platform [1]. VulnCheck tracks the affected range as Langflow 1.6.9 and earlier, with default deployment behavior exposed to the token-hijack path [2]. Langflow’s 1.9.3 release is referenced by CISA as part of the remediation trail [4].

Why this chain is dangerous

The attack combines web-session trust with an application feature that can execute code by design. Obsidian’s write-up describes three combined weaknesses: permissive CORS, missing CSRF protection around token refresh behavior, and access to a code-validation path. If an authenticated Langflow user visits a malicious webpage, the attacker may be able to use that browser session to take over the account and reach code execution.

The impact is larger than a single Langflow login. Langflow often sits close to AI workflows, API keys, model credentials, data connectors, and automation tasks. A compromised instance can expose downstream services connected through the workspace. That is why teams should treat remediation as both a patching task and a credential review.

Who should treat this as urgent?

• Public or semi-public Langflow deployments running 1.6.9 or earlier.
• Instances where users authenticate from ordinary browsers that can also visit external websites.
• Deployments connected to cloud APIs, model providers, SaaS tokens, databases, or internal tools.
• Reverse-proxy setups that do not tightly control allowed origins and credentialed browser requests.

What exposed Langflow owners should check

Start with version and exposure. Upgrade to a fixed release, review reverse-proxy CORS behavior, and invalidate sessions that may have been active during the exposure window. Then review access logs for token refresh activity and authenticated API calls that do not match normal user flow.

Do not treat this as only a server-side patch item. A lure page plus a live browser session can be enough to turn a configuration weakness into account takeover. If the instance had access to sensitive connectors, rotate API keys and tokens that Langflow could reach.

What to do after patching

1. Upgrade Langflow and confirm the running service is not using an older container or stale virtual environment.
2. Limit allowed origins at the proxy and application layer.
3. Expire active sessions and refresh tokens.
4. Review workflow history, custom components, and code-validation activity.
5. Rotate credentials stored in Langflow or reachable from connected workflows.

This also fits the broader pattern we covered in ChromaDB CVE-2026-45829: AI-adjacent tools are valuable targets because they often connect to sensitive workflow context. Patch the platform, then rotate secrets that the platform could reach through connected components.

Teams that run AI workflow builders should also review the newer Flowise CVE-2026-40933 chatflow import RCE, because it shows how AI orchestration tools can expose stored credentials when workflow templates are trusted too quickly.

References

1. Obsidian Security, “CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent Workflow Platform,” published December 5, 2025 and updated December 11, 2025. Research
2. VulnCheck, “Langflow CORS Misconfiguration to Token Hijack and RCE,” December 5, 2025. Advisory
3. CISA Known Exploited Vulnerabilities catalog entry for CVE-2025-34291, added May 21, 2026. Catalog
4. Langflow GitHub release v1.9.3. Release