
Langflow
Open-source visual builder for assembling large-language-model agent pipelines; it aggregates API tokens for every downstream SaaS it connects, making it a high-value credential target.
Last refreshed: 29 May 2026 · Appears in 1 active topic
Why is a flaw in an AI pipeline builder being exploited by a state-backed Iran group?
Timeline for Langflow
Mentioned in: A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesAI orchestration flaw joins CISA's KEV
Cybersecurity: Threats and DefencesWhat is CVE-2025-34291 in Langflow?
Who is exploiting the Langflow vulnerability?
How do I fix the Langflow CORS vulnerability?
Background
Langflow is an open-source, low-code visual development environment for building pipelines that chain together large language model components, APIs, data sources, and custom code. Developed initially by Logspace and widely adopted by teams building AI agent workflows, it provides a drag-and-drop interface that lets developers wire together LLM calls, vector stores, and downstream service integrations without writing full application code. Because pipelines can store API tokens and secrets for connected services, a compromise of Langflow equates to a pivot point into everything the pipeline touches.
In May 2026, CVE-2025-34291 — an origin-validation error combining permissive CORS headers, absent CSRF protection, and a code-execution endpoint by design — was confirmed as actively exploited. CISA added it to the Known Exploited Vulnerabilities catalogue on 21 May 2026 with a CVSS score of 9.4. Analysis published in March 2026 documented the Iran-nexus group MuddyWater (MOIS-linked, also known as Static Kitten) using the flaw for initial access.
Langflow's exploitation underscores a structural risk in the rapid adoption of AI orchestration tooling: products designed to execute code and hold credentials by design carry a significantly higher blast radius than conventional web applications. Security teams deploying AI pipelines in internal or internet-facing environments must treat them with the same rigour applied to CI/CD or secrets-management infrastructure.