CISA Adds Critical Langflow Vulnerability (CVE-2025-34291) to KEV Catalog Following Active Exploitation

CISA has added CVE-2025-34291, a critical origin validation flaw in the Langflow platform, to its Known Exploited Vulnerabilities catalog. The vulnerability, w…

CISA has officially added CVE-2025-34291 to its Known Exploited Vulnerabilities (KEV) catalog, marking a critical turning point for AI infrastructure security. The flaw is an origin validation vulnerability affecting the Langflow platform. According to technical analysis by Obsidian Security, as reported by The Hacker News, the threat carries a CVSS score of 9.4. The inclusion in the KEV catalog on May 21, 2026, was driven by evidence of active exploitation in the wild, shifting the bug from a theoretical risk to an immediate operational threat.

The "Required Action" mandate issued by the federal agency is a binding directive for Federal Civilian Executive Branch (FCEB) agencies. These organizations are required to apply necessary mitigations by the June 4, 2026, deadline. The attack vector is particularly dangerous because it does not stop at compromising the local Langflow instance; it specifically targets the exfiltration of stored access tokens and API keys, enabling cascading breaches across integrated cloud and SaaS services within the AI workflow.

Key Vulnerability Highlights

CISA added CVE-2025-34291 to the KEV Catalog on May 21, 2026, confirming active exploits against the Langflow platform.
The vulnerability is classified as CWE-346 (Origin Validation Error) with a CVSS 4.0 vector indicating maximum impact on confidentiality and integrity.
Technical analysis reveals the attack chains three weaknesses: permissive CORS policies, the absence of CSRF protection, and a built-in code execution endpoint.
The primary impact involves the theft of non-human identities, including API keys and tokens used to connect Langflow to external databases and LLMs.
FCEB agencies have until June 4, 2026, to complete remediation actions as specified by the CISA directive.

From CWE Classification to Federal KEV Directive

CVE-2025-34291 has seen a rapid escalation within the AI security landscape. The National Vulnerability Database (NVD) identifies it as an "Origin Validation Error" (CWE-346), assigning it a technical vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H. This indicates that the attack can be launched over the network with low complexity and no prior privileges, requiring only minimal interaction from an authenticated user.

The inclusion in the KEV catalog is a significant development, as CISA only catalogs vulnerabilities with confirmed evidence of malicious use. "CISA has added two new vulnerabilities to the Known Exploited Vulnerabilities catalog, based on evidence of active exploitation," the agency stated on May 21, 2026. For U.S. government organizations, this mandates immediate intervention, typically involving upgrading to patched versions or disabling the vulnerable endpoints.

Langflow’s central role in modern automation increases the stakes. As a tool for building AI agent graphs, the platform manages sensitive data flows and deep integrations. An origin validation flaw allows an attacker to bypass browser security controls, sending unauthorized commands that execute within the context of a legitimate user session, leading to a full compromise of the orchestration system.

The Technical Chain: Chaining CORS, CSRF, and Execution Endpoints

The effectiveness of the CVE-2025-34291 exploit stems from the concatenation of three structural factors identified in a December 2025 report by Obsidian Security. The first element is an overly permissive Cross-Origin Resource Sharing (CORS) configuration. This weakness allows scripts from external domains to interact with the Langflow instance, violating the Same-Origin Policy intended to isolate web applications.

The second link in the chain is the lack of Cross-Site Request Forgery (CSRF) protection. Without valid CSRF tokens, the application cannot distinguish between a legitimate request from the UI and a forged request sent in the background while the user visits a malicious site. In this scenario, the victim's browser becomes the unwitting vehicle for the attacker's payload directed at the Langflow server.

"The exploit leverages three combined weaknesses: overly permissive CORS, lack of CSRF protection, and an endpoint that allows code execution by design." — Obsidian Security (via The Hacker News)

Finally, the presence of an endpoint designed for arbitrary code execution completes the chain. Because Langflow must allow developers to test scripts and node logic, this functionality is necessary for its operation. However, without rigorous validation of the request's origin and source, this endpoint becomes an open door for remote code execution (RCE) by external actors.

Supply Chain Impact and the Theft of Non-Human Identities

The primary danger of CVE-2025-34291 lies not just in the control of the Langflow instance, but in its ability to serve as a pivot into the broader corporate cloud infrastructure. To function, Langflow requires integrations with numerous API keys (OpenAI, Anthropic, vector databases like Pinecone or Milvus, and AWS/Azure cloud services). These credentials are often stored directly within the workspace or platform configuration files.

"The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored in the workspace." — Obsidian Security (via The Hacker News)

Once access is gained via the origin validation exploit, an attacker can systematically exfiltrate these secrets. These API keys and tokens represent non-human identities that often possess elevated privileges and are rarely subject to frequent rotation or multi-factor authentication. Their theft enables a cascading compromise across all connected services, allowing attackers to move laterally through the victim's cloud environment.

This attack follows a broader trend of threats targeting the AI supply chain. Developer environments and workstations have become priority targets. If an orchestration platform like Langflow is breached, the attacker isn't just hitting a single application—they are compromising the control center governing the data flow and business intelligence of the entire organization.

Mitigation and Response Strategies

Inventory Langflow Instances: Identify every installation of the platform within the corporate network, paying close attention to instances exposed publicly or accessible via unprotected proxies.
Apply Patches and Mitigations: In compliance with the CISA directive for FCEB agencies, update Langflow to the latest version that addresses CWE-346 or implement the vendor-recommended CORS restrictions.
Immediate Secret Rotation: Rotate all API keys, access tokens, and database credentials stored in potentially exposed Langflow workspaces and monitor logs for anomalous access patterns.
Restrict Network Access: Isolate Langflow instances behind a VPN or an Identity-Aware Proxy (IAP), limiting allowed origins and implementing granular controls on inbound requests.

The Strategic Importance for AI Security

CISA’s decision to focus on CVE-2025-34291 highlights a new frontier in cyber risk: the security of AI pipelines. While much of the public discourse focuses on ethical risks or model "jailbreaking," infrastructure vulnerabilities like the Langflow flaw prove that classic attack vectors (such as CSRF and CORS) remain highly effective when applied to modern tools that may lack security-by-design maturity.

The Langflow case is a paradigm for how platform functionality (code execution for orchestration) can be turned against the user if not paired with rigorous message validation. In an ecosystem where service integrations are the norm, a single origin validation failure can lead to the total loss of control over an organization’s digital identities. The speed with which CISA mandated remediation underscores that the era of "theoretical" AI vulnerabilities is over.

The incident also draws attention to the critical need for monitoring non-human identities. If an exfiltrated API token is used by an attacker, it often fails to trigger traditional endpoint-based alarms, as the traffic appears to be legitimate cloud API usage. Protecting platforms like Langflow must therefore become a priority for security teams managing data-driven infrastructures and generative AI workflows.

Frequently Asked Questions

What is the actual risk for non-governmental organizations?

While the CISA order is only binding for FCEB federal agencies, its inclusion in the KEV confirms that the vulnerability is being actively exploited by cybercriminals. Any company using Langflow in production or development is exposed to the same risks of code execution and API key theft.

Does CVE-2025-34291 require an internal malicious user?

No. The flaw can be exploited remotely. A legitimate Langflow user only needs to be induced to visit a malicious webpage while having an active session on the platform. This is sufficient to trigger the CORS/CSRF chain and allow unauthorized commands to be sent from the user's browser to the server.

Why did CISA set a June 4, 2026, deadline?

The KEV catalog establishes remediation deadlines for FCEB agencies to ensure a timely response to critical threats. June 4, 2026, represents the final term by which agencies must have applied mitigations to eliminate the risk of active exploitation for CVE-2025-34291.

Is it possible to detect if an exploit has already occurred?

Detecting the abuse of CVE-2025-34291 can be complex because requests may appear legitimate in application logs. It is necessary to analyze server logs for anomalous CORS request patterns and monitor unusual activity involving the API keys registered within Langflow across external cloud services.

Information has been verified against cited sources and is current as of the time of publication.