CISA has added CVE‑2025‑34291 to its Known Exploited Vulnerabilities catalogue, effective 2026‑05‑21. The entry concerns Langflow’s Langflow product and is titled the Langflow Origin Validation Error Vulnerability. It involves an overly permissive CORS setting combined with a refresh‑token cookie marked SameSite=None, which lets a malicious web page send cross‑origin requests that include user credentials and call the refresh endpoint.
The flaw is an origin validation error in Langflow’s refresh endpoint. By exploiting the misconfigured CORS policy and cookie attributes, an unauthenticated attacker can obtain a valid refresh token from a victim’s browser. With that token they can authenticate to Langflow’s API, execute arbitrary code and achieve full system compromise. The vulnerability is rated CVSS 9.4 (Critical). No patch is currently advertised by the vendor.
CISA’s KEV listing confirms that the vulnerability is being actively exploited in the wild, with observed attacks using malicious web pages to steal refresh tokens. There is no public indication of ransomware use associated with this CVE. Federal agencies must complete remediation by 2026‑06‑04, the date set by CISA for this entry.
CISA requires affected Federal Civilian Executive Branch agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. While the directive binds FCEB agencies, all organisations should review their Langflow deployments and any third‑party components that embed the library for the described CORS and SameSite=None configuration, and apply the same mitigations where possible.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-34291 and the CISA KEV catalogue.