SB2026052629 - CORS misconfiguration leading to RCE in Langflow
Published: May 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Overly permissive cross-domain whitelist (CVE-ID: CVE-2025-34291)
CWE-ID: CWE-942 - Overly Permissive Cross-domain Whitelist
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper access control in the CORS configuration and refresh token handling when processing cross-origin requests with credentials. A remote attacker can host a malicious webpage that triggers credentialed requests to obtain fresh session tokens and use authenticated code-execution functionality to execute arbitrary code.
User interaction is required to visit an attacker-controlled webpage while authenticated to the application.
Remediation
Install update from vendor's website.
References
- https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
- https://www.vulncheck.com/advisories/langflow-cors-misconfiguration-to-token-hijack-and-rce
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-34291
- https://www.crowdsec.net/vulntracking-report/cve-2025-34291