CVE-2025-34291

Warnung

Medienbericht

Exploit

EPSS 78.89%
Veröffentlicht 05.12.2025 22:27:26
Zuletzt bearbeitet 21.05.2026 20:16:13
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Langflow <= 1.6.9 CORS Misconfiguration to Token Hijack & RCE

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration (allow_origins='*' with allow_credentials=True) combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. An attacker-controlled origin can therefore obtain fresh access_token / refresh_token pairs for a victim session. Obtained tokens permit access to authenticated endpoints — including built-in code-execution functionality — allowing the attacker to execute arbitrary code and achieve full system compromise.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 12

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langflow ≫ Langflow Version <= 1.6.9

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

21.05.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Langflow Origin Validation Error Vulnerability

Schwachstelle

Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	78.89%	0.995

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
disclosure@vulncheck.com	9.4	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-346 Origin Validation Error

The product does not properly verify that the source of data or communication is valid.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

10.06.2026 17:43

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

05.06.2026 12:43

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

05.06.2026 12:43

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

17.03.2026 22:20

https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform

Third Party Advisory

Exploit

Mitigation

https://github.com/langflow-ai/langflow

Product

https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291

https://www.crowdsec.net/vulntracking-report/cve-2025-34291

https://nvd.nist.gov/vuln/detail/CVE-2025-34291

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-34291

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-34291

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-34291

21.05.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog