LiveActive security incident?Get immediate response
CVE Record

CVE-2025-34291: Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

CriticalCVSS 9.4Known exploitedUpdated
Glexia's TakeHuman reviewedcritical

Security readout for executives and security teams

Plain-English summary

CVE-2025-34291 lets a malicious website hijack a logged-in Langflow user’s session and reach functionality that can run code on the Langflow host. CISA KEV listing indicates known exploitation. Organizations using Langflow should treat exposed or shared deployments as urgent until vendor-fixed and validated.

Executive priority

Immediate action is warranted for affected Langflow deployments. The issue is critical, has KEV-backed exploitation evidence, and can progress from session theft to remote code execution. Prioritize internet-facing and multi-user environments first.

Technical view

Langflow through 1.6.9 is described as allowing credentialed cross-origin requests with wildcard origins, while refresh tokens use SameSite=None cookies. A malicious origin can obtain fresh tokens for a victim session, access authenticated endpoints, and use built-in code-execution features for remote code execution.

Likely exposure

Highest risk applies to Langflow deployments up to and including 1.6.9 where authenticated users access the application in browsers, especially internet-accessible instances. Exploitation requires user interaction: a logged-in victim must load attacker-controlled web content.

Exploitation context

The source bundle marks this CVE as CISA KEV, so active exploitation is supported. The chain combines browser trust, token refresh behavior, and authenticated code-execution capability. No exploit instructions are needed to assess risk; compromise can include account takeover and host-level impact.

Researcher notes

The CVE description states versions up to 1.6.9 are affected, but the included affected metadata appears inconsistent. The provided sources do not name a specific fixed release. Validate against Langflow’s current vendor advisories and release notes before closing remediation.

Mitigation direction

  • Check Langflow vendor guidance and releases for the fixed version before upgrading.
  • Prioritize upgrading any Langflow version up to and including 1.6.9.
  • Restrict CORS origins to trusted domains only; do not combine wildcard origins with credentials.
  • Review refresh-token cookie settings against vendor guidance, especially SameSite behavior.
  • Limit Langflow exposure to trusted networks until remediated.
  • Rotate tokens and sessions after remediation if exposure is suspected.

Validation and detection

  • Inventory all Langflow deployments and confirm running versions.
  • Identify instances at or below version 1.6.9.
  • Inspect CORS settings for wildcard origins with credentials enabled.
  • Check refresh-token cookie attributes for SameSite=None.
  • Review logs for refresh requests from unexpected Origin headers.
  • Confirm whether each instance is listed in CISA KEV tracking workflows.
Prepared
Reviewed
Confidence
medium
Sources
7

Michael Williams reviewed this cited source version on .

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-346: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Credential and access behavior lookup

The CVE wording references authentication or credential exposure, so valid-account and credential-access review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-34291 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.4 (4.0)
Known Exploited
Yes
Published

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
6Source links

CISA KEV status

Status
Known exploited
Source
CISA-ADP
Date added
KEV reference

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: activeAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.4CVSS 4.0CriticalCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:HVulnCheck

Vulnerability scoring details

Base CVSS 4.0 score

9.4Critical
CVSS 4.0 vector shape for CVE-2025-34291Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. Added to KEVCISA-ADP

    CISA Known Exploited Vulnerabilities metadata lists this CVE as known exploited.

  4. ADP timelineCISA-ADP

    CVE-2025-34291 added to CISA KEV

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvcother:kev
  • 2026-05-21T00:00:00.000Z: CVE-2025-34291 added to CISA KEV
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LangflowLangflow0unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-346 · source CWE mapping

Origin Validation Error

Origin Validation Error represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.