VulnerabilityALERT High

CVE-2025-34291: Langflow Origin Validation Error Vulnerability

Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials an...

Impact

CISA lists CVE-2025-34291 as known exploited in the wild for Langflow Langflow. Ransomware campaign use: Unknown. Federal remediation due date: 2026-06-04.

Recommended Action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Published: 5/21/2026, 12:00:00 AMSource: CISA Known Exploited Vulnerabilities CatalogTags: CVE-2025-34291, Langflow, Langflow, CISA KEV, CWE-346