Langflow CORS exposure is a quiet AI-workflow data-path problem

CVE-2025-34291 went into CISA KEV on 2026-05-21. That moves it out of the theoretical pile.

The affected product is Langflow Langflow. CISA describes the issue as Langflow Origin Validation Error Vulnerability. In plainer terms: Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.

The AI angle is not magic. It is ordinary application risk wrapped around unusually sensitive context and credentials.

Why it matters

AI workflow software now sits in the same conversation as API gateways, admin panels, and integration brokers. It may hold prompts, API keys, routing rules, cached context, and access to downstream systems. A routine web bug in that layer can become credential exposure or tool abuse quickly.

This is where vulnerability management often falls over. Teams record the CVE, ask for a patch date, and move on. That works for low-value software. It does not work for systems that manage identity, remote access, endpoints, build pipelines, network policy, backups, observability, or customer-facing applications.

The better question is what an attacker gets after exploiting it. Shell access is bad. Access to a management console, token store, CI runner, or edge controller is worse because it can turn one bug into a path through the estate.

First checks

Map where the service is deployed, whether it is reachable outside trusted admin networks, which secrets it stores, and whether prompts, tool calls, and API actions are logged well enough to reconstruct abuse.

Ask four questions before closing the ticket:

• Is it deployed anywhere, including old lab, DR, MSP, and vendor-managed environments?
• Is any instance reachable from the internet or a broad internal network?
• Which accounts, tokens, certificates, or integrations does it hold?
• Can the logs show exploitation attempts, successful use, and post-exploitation changes?

If one of those answers is missing, record that as a gap. Do not bury it in the patch ticket. Future incident responders will not appreciate the archaeological dig.

Hunt notes

Start with the boring evidence:

• new or rare administrator logins
• access from unusual ASNs, VPN pools, jump hosts, or user subnets
• new users, API keys, service accounts, scheduled tasks, webhooks, connectors, or tunnels
• configuration exports, backup downloads, disabled logging, or policy edits
• unexpected child processes, shell commands, archive creation, or outbound callbacks
• user agents and API calls that do not match normal admin tooling

For internet-facing systems, keep the hunt window wider than the patch window. Public exploit activity often starts before the internal meeting invite appears. A shocking development, I know.

S6 view

This belongs in the same 2026 pattern as the other KEV additions: attackers keep aiming at control points. Firewalls, SD-WAN managers, endpoint consoles, remote access platforms, developer tools, and AI gateways all share the same problem. Other systems trust them.

The practical test is simple: can the team name the owner, find every instance, patch or isolate it, and prove from logs whether anyone got there first?

Sources

• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://github.com/langflow-ai/langflow
• https://github.com/langflow-ai/langflow/releases/tag/v1.9.3
• https://github.com/langflow-ai/langflow/issues/11465#event-25774545848
• https://nvd.nist.gov/vuln/detail/CVE-2025-34291