Executive Summary
CVE-2025-34291 is an origin validation error vulnerability in Langflow, the popular open-source AI workflow automation platform. The flaw stems from an overly permissive CORS (Cross-Origin Resource Sharing) configuration combined with a refresh token cookie configured as SameSite=None, allowing a malicious webpage to perform cross-origin requests that include user credentials and successfully call the refresh endpoint.
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, confirming active exploitation in the wild. Organizations running Langflow for AI workflow orchestration — particularly those with publicly accessible instances — face elevated risk of session hijacking.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-34291 |
| Severity | High |
| CWE | CWE-346 — Origin Validation Error |
| Vendor | Langflow |
| Product | Langflow |
| CISA KEV Added | May 21, 2026 |
| Exploitation Status | Actively exploited in the wild |
Technical Analysis
Root Cause
Langflow's authentication system issues refresh tokens stored as browser cookies with the SameSite=None attribute. This attribute is intended for cross-site cookie sharing (e.g., embedded content), but when combined with Langflow's overly permissive CORS policy, it creates an attack pathway:
- SameSite=None — the refresh token cookie is sent with cross-origin requests
- Permissive CORS — Langflow's CORS configuration does not adequately restrict which origins can make credentialed requests
- Refresh endpoint exposure — an attacker-controlled page can trigger a cross-origin request to Langflow's
/refreshendpoint, and the browser will automatically include the victim's refresh token cookie
The attacker receives a valid new access token from Langflow's server, effectively taking over the authenticated session without ever directly stealing the cookie value.
Attack Scenario
1. Victim is authenticated to a Langflow instance and visits a malicious webpage
2. Malicious page sends a cross-origin fetch() to https://victim-langflow.example.com/refresh
3. Browser automatically attaches the SameSite=None refresh token cookie
4. Langflow's permissive CORS policy allows the request and returns a new access token
5. Attacker receives the access token and gains full access to the victim's Langflow session
6. Attacker can read/modify AI workflows, extract API credentials stored in Langflow, and pivotWhy Langflow Is High-Value
Langflow is widely used to build and orchestrate AI agents and pipelines. A compromised Langflow session exposes:
- AI workflow definitions — proprietary logic, prompt engineering, and automation flows
- Stored API credentials — keys for OpenAI, Anthropic, vector databases, and other integrated services
- Connected data sources — Langflow pipelines frequently process sensitive documents and structured data
- Model configurations — fine-tuning parameters and system prompts
Impact Assessment
| Area | Risk |
|---|---|
| Session Hijacking | Full authenticated access to the victim's Langflow instance |
| Credential Theft | API keys stored in Langflow workflows are accessible to the attacker |
| Data Exfiltration | Workflow inputs, outputs, and processed documents exposed |
| Workflow Tampering | Attacker can modify or sabotage AI pipelines |
| Lateral Movement | Compromised API keys enable attacks on downstream services |
Remediation
Immediate Actions
- Apply the vendor patch — update Langflow to the version that addresses CVE-2025-34291 per the vendor's security advisory
- Restrict CORS origins — configure Langflow to only allow requests from explicitly trusted origins
- Rotate all stored API credentials — any API keys stored in Langflow should be rotated, particularly if the instance was publicly accessible
- Audit access logs — review Langflow access logs for unexpected cross-origin refresh token requests
Network Controls
- Restrict Langflow access to VPN or internal networks — do not expose Langflow instances directly to the internet
- Implement authentication at the reverse proxy layer — require SSO or client certificate authentication before Langflow is reachable
- Monitor for anomalous session refresh activity — alert on refresh token usage from unexpected IP addresses or user agents
Cookie Security Hardening
Review and apply the following cookie security attributes to all session-related cookies:
SameSite=StrictorSameSite=Lax(notNone) for authentication cookiesHttpOnlyto prevent JavaScript accessSecureto ensure HTTPS-only transmission- Explicit domain binding to prevent subdomain token theft
CISA KEV Entry
CISA added CVE-2025-34291 to the KEV catalog on May 21, 2026:
| Field | Value |
|---|---|
| Vendor/Project | Langflow |
| Product | Langflow |
| Vulnerability Name | Langflow Origin Validation Error Vulnerability |
| Date Added | 2026-05-21 |
| Required Action | Apply mitigations per vendor instructions or discontinue use if mitigations are unavailable |