CISA KEV: Langflow Langflow — Langflow Origin Validation Error Vulnerability

Thursday, May 21, 2026 at 12:00 AM UTC·Source: CISA KEV

Updated: Thursday, May 21, 2026 at 07:00 PM UTC

Executive Summary

Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include credentials and successfully call the refresh endpoint. This could allow the attacker to execute arbitrary code and achieve full system compromise via obtained tokens that permit access to authenticated endpoints.

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2025-34291

NVD MITRE CVE

Source Attribution

Originally published by CISA KEV on May 21, 2026. Verified by: CISA.

Related Threats

MEDIUMVulnerability

Google API Keys Remain Active After Deletion

A security researcher discovered the API keys can still be used for 23 minutes after deletion, even though the cloud provider claims deletion is immediate.

2h agoDark Reading

CRITICALVulnerability

Lawmakers from both parties say CISA cuts have gone too far

Reps. Don Bacon, R-Neb., and James Walkinshaw, D-Va., found rare bipartisan agreement that the agency tasked with defending civilian networks has been diminished at a moment when threats from China and others are growing. The post Lawmakers from both parties say CISA cuts have gone too far appeared first on CyberScoop .

2h agoCyberScoop

MEDIUMVulnerability

Tech giants promise British regulator they will tweak platforms to protect kids online

The regulator, Ofcom, had required Roblox, Snapchat, Instagram, Facebook, YouTube and TikTok to answer questions about their efforts to remove harmful algorithms, check kids’ ages and protect them from sexual predators by the end of April.

3h agoThe Record