Langflow CVE-2025-34291 exploitation

Summary

CISA added CVE-2025-34291 for Langflow to the Known Exploited Vulnerabilities catalog on May 21, 2026, citing evidence of active exploitation. The flaw is an origin-validation / cross-site request weakness in Langflow that can allow a malicious webpage to perform credentialed cross-origin requests, refresh tokens, and reach authenticated code-execution functionality.

The Hacker News' coverage cites earlier reporting that an Iranian state-sponsored group, MuddyWater, exploited CVE-2025-34291 to obtain initial access. Treat this as an AI-agent/workflow-platform compromise path: successful exploitation can expose Langflow workspace tokens and API keys, then cascade into downstream SaaS, cloud, model-provider, data-store, and automation integrations.

Tags

• ops
• operations
• exploitation
• Langflow
• CVE-2025-34291
• AI agents
• credential theft
• MuddyWater
• Iran
• KEV

Why this matters

• Langflow-style AI workflow platforms often concentrate credentials for LLM providers, databases, SaaS APIs, vector stores, automation tools, and cloud resources.
• The exploitation path does not need a traditional phishing payload delivered to the server itself; Obsidian describes a browser-mediated chain where a victim visiting a malicious page can trigger credentialed cross-origin requests against a reachable Langflow instance.
• CISA KEV inclusion means exploitation is no longer theoretical and remediation should be prioritized like an active initial-access vector.
• Actor reporting ties at least some exploitation to MuddyWater, so exposed Langflow instances belong in Iran-nexus intrusion triage, especially where AI or automation workspaces bridge into production credentials.

Reported exploitation chain

1. Langflow accepted credentialed cross-origin requests too broadly while refresh-token cookies were usable cross-site.
2. The token refresh path lacked sufficient CSRF protection, letting an attacker-controlled page obtain usable authentication state through the victim browser.
3. Authenticated access could then reach a Langflow endpoint that executes code by design.
4. Compromise of the workspace can expose stored integration tokens, API keys, and downstream service credentials, enabling follow-on cloud/SaaS intrusion.

Defender heuristics

• Patch or upgrade Langflow per vendor guidance; CISA lists v1.9.3 as a relevant release reference for CVE-2025-34291.
• Inventory internet- and intranet-reachable Langflow deployments, especially those reachable from user browsers through VPN, ZTNA, or developer networks.
• Rotate Langflow-stored tokens after suspected exposure; do not treat application patching as enough if secrets were reachable from the workspace.
• Review Langflow logs, reverse-proxy logs, and identity-provider events for suspicious refresh-token use, unexpected cross-origin requests, new flows/components, code-validation activity, and outbound connections following browser visits.
• Hunt downstream services for use of tokens stored in Langflow around the exposure window, including cloud API calls, SaaS export activity, repository/package-registry actions, and model-provider API usage spikes.

Sources

• CISA KEV catalog entry and alert: https://www.cisa.gov/news-events/alerts/2026/05/21/cisa-adds-two-known-exploited-vulnerabilities-catalog
• CISA KEV JSON: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• Obsidian Security CVE-2025-34291 analysis: https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
• The Hacker News: https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html