CVE-2025-34291: Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.
Security readout for executives and security teams
Plain-English summary
CVE-2025-34291 lets a malicious website hijack a logged-in Langflow user’s session and reach functionality that can run code on the Langflow host. CISA KEV listing indicates known exploitation. Organizations using Langflow should treat exposed or shared deployments as urgent until vendor-fixed and validated.
Executive priority
Immediate action is warranted for affected Langflow deployments. The issue is critical, has KEV-backed exploitation evidence, and can progress from session theft to remote code execution. Prioritize internet-facing and multi-user environments first.
Technical view
Langflow through 1.6.9 is described as allowing credentialed cross-origin requests with wildcard origins, while refresh tokens use SameSite=None cookies. A malicious origin can obtain fresh tokens for a victim session, access authenticated endpoints, and use built-in code-execution features for remote code execution.
Likely exposure
Highest risk applies to Langflow deployments up to and including 1.6.9 where authenticated users access the application in browsers, especially internet-accessible instances. Exploitation requires user interaction: a logged-in victim must load attacker-controlled web content.
Exploitation context
The source bundle marks this CVE as CISA KEV, so active exploitation is supported. The chain combines browser trust, token refresh behavior, and authenticated code-execution capability. No exploit instructions are needed to assess risk; compromise can include account takeover and host-level impact.
Researcher notes
The CVE description states versions up to 1.6.9 are affected, but the included affected metadata appears inconsistent. The provided sources do not name a specific fixed release. Validate against Langflow’s current vendor advisories and release notes before closing remediation.
Mitigation direction
Check Langflow vendor guidance and releases for the fixed version before upgrading.
Prioritize upgrading any Langflow version up to and including 1.6.9.
Restrict CORS origins to trusted domains only; do not combine wildcard origins with credentials.
Review refresh-token cookie settings against vendor guidance, especially SameSite behavior.
Limit Langflow exposure to trusted networks until remediated.
Rotate tokens and sessions after remediation if exposure is suspected.
Validation and detection
Inventory all Langflow deployments and confirm running versions.
Identify instances at or below version 1.6.9.
Inspect CORS settings for wildcard origins with credentials enabled.
Check refresh-token cookie attributes for SameSite=None.
Review logs for refresh requests from unexpected Origin headers.
Confirm whether each instance is listed in CISA KEV tracking workflows.
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-346: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-346 · source CWE mapping
Origin Validation Error
Origin Validation Error represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.