Last week, the CrowdSec Intelligence Network added another batch of detection rules for CVEs released in Q4 of 2025. Among these is CVE-2025-34291, a remote code execution vulnerability in LangFlow, one of the most popular AI agent frameworks. Using data provided by the CrowdSec Network, we are now the first to confirm that this vulnerability is being actively exploited in the wild. Security teams that have not patched the vulnerability yet must now act quickly to protect their LangFlow instances.
Key findings
- Active exploitation of CVE-2025-34291 was observed starting on January 23rd, 2026. The vulnerability has not yet been added to CISA KEV, but we expect this to happen soon.
- CVE-2025-34291 originates from an issue in the cross-site request forgery protection of the LangFlow default configuration. As a consequence, the IPs observed by CrowdSec are the IPs of users falling for the ruse of the threat actors using this vulnerability.
- Due to how the vulnerability works in practice, CrowdSec cannot fully confirm the scale of the exploitation campaign. However, from the data available, we can conclude that the operation is probably being orchestrated at a professional scale.
What is Langflow?
Langflow is a popular open source visual framework used by developers and data scientists to build multi-agent applications and chain Large Language Models (LLMs). It allows users to drag-and-drop components to create complex AI workflows without writing extensive code. If an organization is experimenting with AI or building LLM-powered internal tools, there is a good chance someone is using LangFlow already. Any potential exploitation of the vulnerability will provide full control over the organization’s AI infrastructure. The “move-fast-and-break-things” mentality of a lot of AI experiments makes AI infrastructure especially vulnerable to such an attack.
How does CVE-2025-34291 work?
CVE-2025-34291 is a nasty chain of configuration issues involving CORS (Cross-Origin Resource Sharing) and SameSite cookie attributes. We provide a short summary for brevity.
Essentially, an attacker can trick a logged-in user’s browser into sending their credentials (refresh tokens) to a malicious site. This is a common attack pattern, and modern frameworks and browsers usually take care of preventing such vulnerabilities. Consequently, most developers are not used to setting up bespoke defences against such attacks. Once the attacker has the token, they can impersonate the user and access the LangFlow instance in their name. Since Langflow includes features to execute Python code as part of its workflow, this account takeover immediately escalates to Remote Code Execution (RCE). The full write-up can be found on a blog post by Obsidian Security, the company that originally found and disclosed the exploit.
Trend analysis
CORS and other cross-site vulnerabilities are difficult to attribute. These attacks rely on a user clicking a link on a third-party site that then executes the exploit on their behalf. As a consequence of this, the IPs observed by defenders are the IPs of the users who get caught in the attack. This also explains why all the IPs CrowdSec has observed so far come from residential IP ranges.
This problem also makes it difficult to estimate how broad the attack campaign is. However, seeing how many victims we have also allows us to conclude that there is a significant blast radius to the current exploitation campaign.
How to protect your systems
- Harden your LangFlow configuration:
- Disable authenticated cross-site requests by setting the LANGFLOW_CORS_ALLOW_CREDENTIALS environment variable to False
- If the above is not possible, restrict the hosts that are allowed to forward cross-site requests by setting LANGFLOW_CORS_ORIGINS to a list of select trusted hosts.
- Upgrade to LangFlow 1.7:
- The default configuration of LangFlow 1.7 is protected against this attack.
- Protect your systems using a WAF:
- Use tools such as CrowdSec to automatically identify and block IP addresses engaging in this exploitation behavior.