CVE-2025-34291HIGH 8.8CISA KEVEPSS p97.7%

CVE-2025-34291Langflow Origin Validation Error Vulnerability

Langflow / Langflow

Description

Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS25.15% probability of exploitation · percentile 97.7% · 2026-06-18T12:00:27Z
Published2025-12-05
Last modified2026-05-22

CISA KEV entry

Added to KEV: 2026-05-21

Underlying weaknesses· 1

CWE-346

References

  1. https://github.com/langflow-ai/langflow
  2. https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
  3. https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
  4. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
  5. https://www.crowdsec.net/vulntracking-report/cve-2025-34291

1

TypeTargetConfidenceTier
WeaknessOrigin Validation Errorcwe-3460%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryLangflow Origin Validation Error Vulnerabilitykev-cve-2025-342910%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Langflow Missing Authentication Vulnerability
CVE
Langflow Code Injection Vulnerability
CVE
CVE-2025-14279
CVE
CVE-2026-2611
CVE
CVE-2026-21445
CVE
CVE-2026-0768
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.