Langflow chained account takeover and RCE via CORS origin validation error
CVE-2025-34291 is a critical chained vulnerability in Langflow affecting versions up to and including 1.6.9. The issue arises from an overly permissive CORS configuration that allows credentialed cross-origin requests (e.g., allow_origins='*' with allow_credentials=True), combined with a refresh token cookie configured as SameSite=None and a refresh endpoint that can be invoked cross-origin. A malicious website visited by an authenticated Langflow user can cause the victim’s browser to send credentialed requests to the Langflow refresh endpoint and obtain fresh access_token and refresh_token pairs for the victim session. Those tokens can then be used to access authenticated Langflow endpoints, including built-in code-execution functionality such as the code validation path, resulting in account takeover and remote code execution on the host running Langflow. The chain effectively turns a browser-based cross-origin token theft condition into full server compromise.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.
All candidate exploits were filtered out by Mallory's validation.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
50 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical account takeover and remote code execution vulnerability in Langflow that could be chained into full system compromise.
An origin validation error in Langflow that can allow arbitrary code execution and system compromise.
A critical origin validation error in Langflow caused by overly permissive CORS configuration and insecure refresh token cookie settings, enabling authenticated cross-origin requests, token theft, unauthorized API access, potential arbitrary code execution, and full system compromise.
An origin validation error vulnerability in Langflow that can enable arbitrary code execution and full system compromise. The flaw reportedly stems from a combination of overly permissive CORS, missing CSRF protection, and a code-execution endpoint by design, with exposure of sensitive tokens and API keys.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.