Langflow CVE-2025-34291: KEV Origin Validation Exposure

Suspected
Discovered May 26, 2026

CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.

0
Affected Packages
0
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script

Analysis

Executive Summary

CISA added CVE-2025-34291 to KEV on 2026-05-21 with a due date of 2026-06-04 CISA KEV opens in a new tab. CISA describes an origin validation error where permissive CORS and a refresh token cookie configured as SameSite=None allow credentialed cross-origin refresh endpoint requests, enabling authenticated follow-on actions CISA KEV opens in a new tab.

NVD and the reviewed GitHub/Python advisory records list Langflow versions through 1.6.9 as vulnerable and 1.7.0 as the first patched version NVD opens in a new tab GitHub Advisory opens in a new tab PyPA advisory opens in a new tab. CISA also links to v1.9.3 and issue 11465, but those links are context rather than evidence that 1.9.3 is the first fix.

Key Facts

Cve: CVE-2025-34291

Vendor: Langflow

Product: Langflow

Kev Added: 2026-05-21

Kev Due: 2026-06-04

Vulnerability: Origin validation error with credentialed cross-origin refresh-token requests

Cwe:

  • CWE-346

Nvd Vulnerable Cpe: cpe:2.3:a:langflow:langflow::::::::

Nvd Vulnerable Version End Including: 1.6.9

First Patched Version: 1.7.0

Cisa Context Release: v1.9.3

Cvss V31: 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Cvss V40 Secondary: 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Exploitation Status: cisa_kev_exploited

Zero Day Status: unproven_from_public_primary_sources

Evidence Assessment

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceRemediation triggerClosure condition
Confirmed compromiseHTTP or application telemetry shows credentialed cross-origin refresh behavior followed by authenticated Langflow API activity on a vulnerable deployment.Version evidence, Origin/Cookie/refresh telemetry, session or token activity, and affected host identity.Preserve Langflow app logs, reverse-proxy logs, deployment manifests, and secrets available to the Langflow process.Version is fixed or removed and downstream token/API audit shows no unexplained authenticated activity.
Presumed exposedLangflow version is <= 1.6.9 on a browser-reachable deployment.Lockfile, package inventory, container tag, scanner row, or runtime package output.Keep the deployment in scope until version closure succeeds.Script output proves the runtime is >=1.7.0 and the service was restarted from rebuilt artifacts.
Potentially exposedLangflow appears in source, images, manifests, or scanner exports but version or browser exposure is unknown.Repository, image, Kubernetes, CMDB, or scanner evidence naming langflow.Collect runtime version and exposure evidence.Asset resolves to confirmed compromise, presumed exposed, not exposed, or unknown.
Not exposedNo Langflow package, image, deployment, scanner row, or CVE-2025-34291 selector appears in complete exports.Negative outputs from repository, image, Kubernetes, and scanner collection.None for this CVE.Evidence bundle covers source, build artifacts, containers, and deployed workloads.
UnknownRuntime version, exposure, or HTTP telemetry is unavailable.Gap statement naming the unavailable source.Keep externally reachable Langflow deployments in scope.Evidence is recovered or the risk owner accepts the named gap.

What Happened

The exploitable condition is credentialed cross-origin access to Langflow refresh behavior, not a package compromise. The practical scoping anchors are langflow package versions, container images, exposed Langflow services, and HTTP telemetry containing Origin, credential cookies, and refresh-token activity.

Technical Analysis

Langflow deployments often hold model-provider credentials, workflow secrets, and API tokens. A successful refresh-token abuse path can convert a browser interaction into authenticated Langflow API access. The scripts below classify dependencies, containers, and HTTP telemetry without assuming a vendor route that public primary sources do not provide. [1]

Affected Assets and Blast Radius

Asset Selectors:

  • langflow
  • CVE-2025-34291
  • CWE-346
  • 1.7.0

Version Selectors:

  • nvd_vulnerable_end_including: 1.6.9
  • first_patched_version: 1.7.0

Credentials And Data At Risk:

  • Langflow refresh tokens
  • authenticated Langflow API tokens
  • model provider secrets available to Langflow
  • workflow execution credentials

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Remediation and Closure

The following Python script is provided to scan, verify, or query the system telemetry:

#!/usr/bin/env python3
import json
import os
import re
import subprocess
from pathlib import Path

OUT = Path(os.environ.get("OUT", "hp-langflow-cve-2025-34291-closure")).resolve()
CVE = "CVE-2025-34291"
NVD_VULN_END = "1.6.9"
FIRST_PATCHED = "1.7.0"
SOURCE = "https://github.com/advisories/GHSA-577h-p2hh-v4mv"

def vt(value):
    return tuple(int(x) for x in re.findall(r"\d+", str(value))[:4])

def ge(left, right):
    l, r = vt(left), vt(right)
    width = max(len(l), len(r), 1)
    return l + (0,) * (width - len(l)) >= r + (0,) * (width - len(r))

OUT.mkdir(parents=True, exist_ok=True)
result = {"cve": CVE, "first_patched_version": FIRST_PATCHED, "source": SOURCE, "python_runtime": [], "docker_images": []}

pip_cmds = [["python3", "-m", "pip", "show", "langflow"], ["python", "-m", "pip", "show", "langflow"]]
for cmd in pip_cmds:
    try:
        proc = subprocess.run(cmd, text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=20)
    except Exception as exc:
        result["python_runtime"].append({"cmd": cmd, "error": str(exc)})
        continue
    version = ""
    for line in proc.stdout.splitlines():
        if line.lower().startswith("version:"):
            version = line.split(":", 1)[1].strip()
    if version:
        result["python_runtime"].append({
            "cmd": cmd,
            "installed_version": version,
            "nvd_vulnerable_end_including": NVD_VULN_END,
            "first_patched_version": FIRST_PATCHED,
            "at_or_above_first_patched": ge(version, FIRST_PATCHED),
        })

try:
    proc = subprocess.run(["docker", "images", "--format", "{{.Repository}}:{{.Tag}} {{.ID}}"], text=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=30)
    for line in proc.stdout.splitlines():
        if "langflow" in line.lower():
            result["docker_images"].append({"image": line, "selector": "langflow"})
except Exception as exc:
    result["docker_error"] = str(exc)

(OUT / "langflow-cve-2025-34291-version-verification.json").write_text(json.dumps(result, indent=2, sort_keys=True), encoding="utf-8")

# Remediation trigger: any runtime or image at Langflow 1.6.9 or earlier remains open for CVE-2025-34291.
print(json.dumps({"out": str(OUT), "runtime_checks": len(result["python_runtime"]), "docker_hits": len(result["docker_images"])}, indent=2))

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Sources

  1. CISA Known Exploited Vulnerabilities catalog JSON opens in a new tab - Role: GOVERNMENT_DIRECT_SOURCE - Impact: Exploitation status, due date, required action, and vulnerability description.
  2. GitHub Advisory Database: GHSA-577h-p2hh-v4mv opens in a new tab - Role: REVIEWED_ADVISORY - Impact: Affected range, first patched version, severity, and reference mapping.
  3. PyPA Advisory Database: PYSEC-2025-78 opens in a new tab - Role: ECOSYSTEM_DIRECT_SOURCE - Impact: Python package range and 1.7.0 fix boundary.
  4. NVD CVE-2025-34291 opens in a new tab - Role: GOVERNMENT_ENRICHMENT - Impact: CPE range, CWE, CVSS, and publication history.
  5. Langflow issue 11465 opens in a new tab - Role: VENDOR_CONTEXT - Impact: Public patch inquiry linked by CISA; still open as of 2026-06-10.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 26, 2026First seenFirst seen recorded for Langflow CVE-2025-34291: KEV Origin Validation Exposure.GitHub
May 26, 2026DiscoveryDiscovery recorded for Langflow CVE-2025-34291: KEV Origin Validation Exposure.GitHub
May 26, 2026DisclosureDisclosure recorded for Langflow CVE-2025-34291: KEV Origin Validation Exposure.GitHub
May 26, 2026Langflow CVE-2025-34291: KEV Origin Validation ExposureUnknownGitHub

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Langflow CVE-2025-34291: KEV Origin Validation Exposure?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabGitHub

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Langflow CVE-2025-34291: KEV Origin Validation Exposure?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-langflow-cve-2025-34291-kev-scope"))


# Collect unique indicators
indicators = set()
for group in []:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
GitHubSecurity Researcher95%3CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.
nvd.nist.govSecurity Researcher95%1CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.
cisa.govSecurity Researcher95%1CISA added Langflow CVE-2025-34291 to KEV on 2026-05-21. The issue combines permissive CORS and credentialed refresh-token behavior; this article provides dependency, container, HTTP telemetry, and token-abuse audit scripts.