Critical Flaw in Langflow: Visiting a Web Page Can Hijack Your AI Agent Stack
A CVSS 9.4 flaw has been found in Langflow, the popular AI agent OSS, and CISA has added it to the Known Exploited Vulnerabilities catalog. Visiting a malicious web page is enough to steal a user's session and hijack the entire AI agent stack, including configured OpenAI and Anthropic API keys. A fix is available in version 1.9.3.
News
kkm
Backend Engineer / AWS / Django
A CVSS 9.4 flaw has been found in Langflow, the popular AI agent OSS, and CISA has added it to the Known Exploited Vulnerabilities catalog. Visiting a malicious web page is enough to steal a user's session and hijack the entire AI agent stack, including configured OpenAI and Anthropic API keys. A fix is available in version 1.9.3.
On May 21, 2026, CISA added CVE-2025-34291 — a vulnerability in the popular AI agent OSS "Langflow" — to its Known Exploited Vulnerabilities (KEV) catalog. The attack precondition is simply "the user visits a malicious web page". The severity is 9.4 on CVSS 4.0 (Critical), and users must update to the 1.7 series or later — the latest stable version is 1.9.3.
Langflow is an open-source AI agent / RAG platform with over 140,000 GitHub stars. Often called the "no-code version of LangChain", it lets you build AI workflows by drag-and-drop. It is actively used by AI engineers worldwide, including a sizeable Japanese community publishing how-to articles on Zenn and similar sites.
What makes this vulnerability particularly painful is that Langflow is, by design, "a platform that concentrates API keys for many AI services". Connections to OpenAI, Anthropic, various vector databases, and internal data sources all converge in a single Langflow instance. If Langflow is compromised, the services behind it fall in a chain reaction — a structural risk that ultimately drew CISA's warning.
What is Langflow?
Langflow is, in one sentence, "a tool for building AI apps by combining blocks". Built on top of the LangChain framework, it lets you assemble AI workflows in the browser by dragging and dropping components — no code required.
Typical use cases are Retrieval-Augmented Generation (RAG) — answering questions over your internal documents — and autonomous agents that combine multiple AI capabilities. Teams adopt it to customize a ChatGPT-like chat for their company or to build query bots over internal data.
Langflow AI was acquired in 2024 by database company DataStax (now under IBM), and both commercial support and an open-source edition are available. When running it yourself, the typical setup is to self-host on your own server or cloud via pip or Docker — and that self-hosted configuration is what today's vulnerability targets.
What is actually broken
According to Obsidian Security, the firm that discovered the flaw, the attack chains together three configuration mistakes.
A three-step exploit chain
- 1.Overly permissive CORS: the combination of `allow_origins='*'` and `allow_credentials=True` allows credentialed requests from any website.
- 2.Loose cookie configuration: refresh-token cookies are issued with `SameSite=None`, so the browser sends them on cross-site requests.
- 3.A built-in code execution endpoint: authenticated users can execute arbitrary Python code via `/api/v1/validate/code` — by design.
Combined, the attack flow is surprisingly simple. A user is logged into Langflow with an active session, and they open a malicious web page prepared by an attacker. Everything else unfolds automatically in the background.
Attack scenario
- 1.The target Langflow user opens an attacker-prepared web page (via social media, email, or ads).
- 2.JavaScript on the page sends credentialed requests from the user's browser to their Langflow server.
- 3.The CORS misconfiguration lets the request through, and a fresh access token is obtained.
- 4.Using that token, arbitrary code is sent to `/api/v1/validate/code` and executes on the Langflow server.
- 5.The configured OpenAI API keys, Anthropic API keys, database connection strings, and so on are exfiltrated.
The user notices nothing. The Langflow tab does not even need to be open — as long as an auth cookie from a prior login still sits in the browser, the attack succeeds.
Why AI agent platforms are juicy targets
A vulnerability in a regular web app usually means "the app's own data is stolen". A vulnerability in an AI agent platform tends to cause a cascading compromise, by nature.
Information typically registered in a Langflow instance includes:
| Category | Examples | Impact if abused |
|---|---|---|
| LLM API keys | OpenAI / Anthropic / Google Gemini | Costly API calls and financial loss |
| Vector DB | Pinecone / Weaviate / Astra DB | Exfiltration / tampering of internal knowledge |
| SaaS integrations | Slack / Notion / Google Workspace | Lateral movement into business systems |
| Internal data | PostgreSQL / S3 / internal APIs | Direct data extraction |
A single hijacked Langflow instance gives up all of these keys at once. The attacker's next moves are typically cryptocurrency mining via stolen API keys, direct access to internal data sources, and pivoting into SaaS platforms. "By their nature, AI workflow platforms are high-ROI targets", as Obsidian Security puts it.
The weight of CISA KEV listing
This issue was publicly disclosed on December 5, 2025, with the CVE assigned on October 23, 2025. Nearly half a year later, on May 21, 2026, CISA added it to the Known Exploited Vulnerabilities Catalog — evidence that exploitation in the wild has been confirmed by U.S. authorities.
A KEV listing is legally binding for U.S. federal agencies. Under BOD 22-01, each agency must remediate within the specified deadline. Vendors and administrators in the private sector typically treat KEV as a de facto urgent priority list as well.
Now that exploitation is confirmed, you should assume that any internet-exposed Langflow instance is under continuous scanning and attack right now. Instances left unpatched since the December 2025 disclosure may already be compromised.
Affected environments and fixed version
Affected systems are self-hosted Langflow instances on version 1.6.9 or earlier. The fix shipped in the 1.7 series, and the current stable release is 1.9.3. The Langflow team explicitly calls out that release as "containing critical security fixes" and strongly recommends immediate upgrade.
| Item | Detail |
|---|---|
| CVE ID | CVE-2025-34291 |
| CVSS | 9.4 (v4.0) / 8.8 (v3.1) |
| Affected | Langflow 1.6.9 and earlier (self-hosted) |
| Fixed in | 1.7 and later (1.9.3 recommended) |
| Disclosed | December 5, 2025 |
| CISA KEV added | May 21, 2026 |
| Federal deadline | June 11, 2026 (three weeks from listing) |
| Reporter | Obsidian Security |
What to do right now
Checklist for self-hosted Langflow users
- 1.Check your current Langflow version: `pip show langflow` or the version footer in the Web UI.
- 2.If below 1.7, update immediately: `pip install --upgrade langflow`, or switch the Docker image to `langflowai/langflow:1.9.3`.
- 3.Confirm whether Langflow is reachable from outside your network. Ideally, lock it inside an internal network or behind a VPN.
- 4.Rotate every API key registered in Langflow (OpenAI, Anthropic, etc.). If you have left it unpatched for six months, assume compromise and start by revoking all keys.
- 5.Check your OpenAI/Anthropic billing dashboards for API usage you don't recognize.
- 6.Review Langflow's access and execution logs for suspicious calls to `/api/v1/validate/code`.
Items 4 and 5 matter most. A common attacker objective is "use the stolen API key to spin up expensive LLM calls for cryptocurrency mining workflows", and victims typically only notice on their end-of-month bill. Cases of hundreds to thousands of dollars in damages have been reported.
Why we keep seeing flaws in AI workflow platforms
From 2025 into 2026, vulnerability reports in AI app development frameworks — Langflow, LangChain, LiteLLM, LlamaIndex — have surged. Three structural reasons stand out.
First, they were designed in a "if it works, ship it" phase. Most AI dev tools are young OSS projects born in the post-LLM-boom growth spurt, where feature delivery dominates. Foundational web security — authentication, authorization, CSRF defenses — easily slips to the back of the queue.
Second, "executing code" is a designed-in feature. Many AI agent platforms expose "run user-written Python" as a legitimate capability. That feature plus an auth bypass equals immediate RCE.
Third, credential concentration. As discussed, AI workflow platforms structurally aggregate API keys for the services they connect to. That makes them a treasure trove for attackers — a category that will continue to be targeted as long as the AI boom lasts.
The same day, the AI API proxy OSS "LiteLLM" was also disclosed to have a CVSS 8.8 privilege escalation vulnerability. It is the same structural problem playing out elsewhere — securing self-hosted AI infrastructure is shaping up as a major theme of 2026.
Closing thoughts
If your team self-hosts Langflow, do the version check and upgrade tonight — even if the deployment lives strictly on an internal network. CSRF-style attacks succeed the moment an internal user opens an external malicious page in their browser; "private network" alone is not a defense.
A "sandbox to prototype AI apps" can quietly evolve into "the hub that aggregates internal confidential data". Whether or not it is in formal production, the moment you register an API key, Langflow becomes infrastructure that has to be defended.
References
- ▸ NVD - CVE-2025-34291 (Langflow CORS misconfiguration to token hijack and RCE)
- ▸ CISA - Known Exploited Vulnerabilities Catalog (CVE-2025-34291 added on May 21, 2026)
- ▸ Obsidian Security - Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent Workflow Platform
- ▸ VulnCheck - Langflow CORS Misconfiguration to Token Hijack and RCE
- ▸ GitHub - Langflow Releases
- ▸ GitHub - langflow-ai/langflow