CVE-2025-34291
Origin-validation flaw (CVSS 9.4) in Langflow combining permissive CORS, missing CSRF protection and a code-execution endpoint.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why does a flaw in an AI workflow tool score CVSS 9.4 when most web app bugs score far lower?
Timeline for CVE-2025-34291
Mentioned in: AI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and Defences- What is CVE-2025-34291 and why does it score so highly?
- CVE-2025-34291 is a CVSS 9.4 flaw in Langflow that combines permissive CORS headers, absent CSRF protection, and a code-execution endpoint. The high score reflects unauthenticated remote exploitability and the ability to harvest all API tokens stored in the pipeline.Source: CISA KEV, May 2026
- Which threat actor is exploiting the Langflow vulnerability?
- MuddyWater, an Iran-nexus group attributed to Iran's Ministry of Intelligence (MOIS), was documented exploiting CVE-2025-34291 for initial access in a March 2026 threat analysis.Source: Threat intelligence, March 2026
- How do I know if my Langflow installation is vulnerable to CVE-2025-34291?
- Any internet-facing Langflow installation running an unpatched version is vulnerable. Apply the vendor patch, restrict access to internal networks only, and rotate all API tokens stored in active pipelines as a precaution.Source: event
Background
CVE-2025-34291 is a critical origin-validation vulnerability in the Langflow open-source LLM pipeline builder, rated CVSS 9.4. The flaw combines three compounding weaknesses: permissive CORS headers that allow cross-origin requests from arbitrary domains, the absence of CSRF token enforcement, and the presence of a code-execution API endpoint that is intentional by product design but becomes catastrophically exploitable when the access controls collapse. An unauthenticated remote attacker can exploit the combination to execute arbitrary code on the Langflow server and access any downstream service tokens stored in active pipelines.
CISA added CVE-2025-34291 to the Known Exploited Vulnerabilities catalogue on 21 May 2026. A March 2026 threat analysis documented the Iran-nexus group MuddyWater (MOIS-linked) using the flaw for initial access into targeted organisations. The combination of a CVSS 9.4 severity rating and attribution to a state-backed actor makes this among the higher-priority KEV additions of Q2 2026.
The CVSS 9.4 score reflects both unauthenticated remote exploitability and the breadth of potential impact: a Langflow server stores API tokens for every downstream LLM, database, and API it orchestrates. Compromise of a Langflow instance is therefore not bounded by the Langflow server itself but extends to every connected service. This token-harvesting dimension elevates the real-world blast radius significantly beyond what a single application compromise normally implies.
