ProductUS

Langflow

Open-source visual builder for assembling large-language-model agent pipelines; it aggregates API tokens for every downstream SaaS it connects, making it a high-value credential target.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

Why is a flaw in an AI pipeline builder being exploited by a state-backed Iran group?

Timeline for Langflow

#521 May

AI orchestration flaw joins CISA's KEV

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What is CVE-2025-34291 in Langflow?: CVE-2025-34291 is a critical origin-validation flaw (CVSS 9.4) in Langflow combining permissive CORS headers, missing CSRF protection, and a code-execution endpoint, allowing unauthenticated Remote Code Execution. CISA added it to the KEV catalogue on 21 May 2026.Source: CISA KEV, May 2026
Who is exploiting the Langflow vulnerability?: Iran-nexus threat group MuddyWater, linked to Iran's Ministry of Intelligence, was documented exploiting CVE-2025-34291 for initial access in analysis published in March 2026.Source: Threat intelligence analysis, March 2026
How do I fix the Langflow CORS vulnerability?: Apply the vendor patch addressing CVE-2025-34291. Interim mitigations include restricting Langflow instances to internal networks only, disabling unauthenticated access to the code-execution endpoint, and rotating any API tokens stored in active pipelines.Source: event
Is Langflow safe to use on the internet?: Internet-facing Langflow instances running unpatched versions are at high risk. CVE-2025-34291 allows unauthenticated code execution, and the flaw is confirmed as actively exploited by a state-sponsored group. Restrict to internal networks until patched.Source: event

Background

Langflow is an open-source, low-code visual development environment for building pipelines that chain together large language model components, APIs, data sources, and custom code. Developed initially by Logspace and widely adopted by teams building AI agent workflows, it provides a drag-and-drop interface that lets developers wire together LLM calls, vector stores, and downstream service integrations without writing full application code. Because pipelines can store API tokens and secrets for connected services, a compromise of Langflow equates to a pivot point into everything the pipeline touches.

In May 2026, CVE-2025-34291 — an origin-validation error combining permissive CORS headers, absent CSRF protection, and a code-execution endpoint by design — was confirmed as actively exploited. CISA added it to the Known Exploited Vulnerabilities catalogue on 21 May 2026 with a CVSS score of 9.4. Analysis published in March 2026 documented the Iran-nexus group MuddyWater (MOIS-linked, also known as Static Kitten) using the flaw for initial access.

Langflow's exploitation underscores a structural risk in the rapid adoption of AI orchestration tooling: products designed to execute code and hold credentials by design carry a significantly higher blast radius than conventional web applications. Security teams deploying AI pipelines in internal or internet-facing environments must treat them with the same rigour applied to CI/CD or secrets-management infrastructure.

Source Material

CISA Known Exploited Vulnerabilities Catalogue Langflow — GitHub repository

How the World Sees Them

Iran

MuddyWater's documented use of the flaw for initial access fits its established pattern of leveraging commodity tools and newly disclosed CVEs to target Middle Eastern and Western infrastructure.

United States

CISA's KEV listing mandates federal patching within 21 days; broader AI tool adoption in government and defence contractors makes Langflow-class orchestration flaws a priority concern.

Enterprise security teams

The incident signals that AI orchestration platforms must be treated as critical infrastructure: isolated, credential-scoped, and patched on the same cycle as database and CI/CD tooling.