Home · Live brief · Daily brief 2026-05-22
CVE-2025-34291 — Langflow AI Workflow Platform: CORS misconfiguration + SameSite=None refresh token enables cross-origin token theft (CISA KEV, ITW, Flodric botnet)
Part of run 2026-05-22-5b90d5a1 (intel · Claude Sonnet 4.6)
CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9. The platform's default CORS policy (allow_origins='*' with allow_credentials=True) combined with the refresh token cookie configured as SameSite=None allows any malicious webpage to perform cross-origin requests with the authenticated victim's credentials, reaching /api/v1/auth/refresh to obtain access tokens and subsequently calling all authenticated endpoints — including Langflow's code-execution functionality. Exploitation requires only victim browser navigation to an attacker-controlled page; no prior access needed (T1190 Exploit Public-Facing Application). First confirmed exploitation: 2026-01-23; Trend Micro documented Flodric botnet deployment through compromised Langflow instances. CISA added CVE-2025-34291 to KEV on 2026-05-21. Fixed: Langflow 1.7.0 (restrictive CORS default) and 1.9.3 (explicit fix). Block internet exposure of Langflow instances; enforce HTTPS-only with explicit CORS allowlists; hunt for anomalous subprocess execution from the Langflow process tree (Sysmon EID 1, parent langflow-backend or uvicorn).
“CVE-2025-34291 (CVSS 4.0: 9.4 / CVSS 3.1: 8.8, CWE-942 Overly Permissive CORS) affects Langflow <= 1.6.9.” — ctipilot v2 brief (migrated)
Action items
- Upgrade Langflow to >= 1.7.0 (or 1.9.3) — CVE-2025-34291 in CISA KEV (added 2026-05-21); Flodric botnet actively exploiting exposed Langflow instances via CORS token theft. If Langflow is internet-exposed, block access immediately and patch before re-exposing. Check
langflow --version; update viapip install langflow --upgrade.