Obsidian Security — Langflow account takeover + RCE chain (CVE-2025-34291)

2026-01-31 • Category: AI CVEs

AI relevance: Langflow is commonly deployed as an AI agent/workflow hub holding API keys and connectors; this bug chain turns a browser visit into token theft + code execution on the Langflow host.

• What happened: Obsidian Security published a write-up on CVE-2025-34291, a chained vulnerability in Langflow that can enable account takeover and remote code execution.
• The chain (high level): (1) overly permissive CORS + allow_credentials, (2) missing CSRF protections on token refresh flows, and (3) a built-in code validation endpoint that can execute code by design.
• Why it’s especially ugly: an attacker can pivot from “I got your browser to hit a URL” to “I can act as you on the platform” (and potentially read responses cross-origin if CORS is too open).
• Credential blast radius: the write-up emphasizes that compromising Langflow can expose workspace-stored tokens and API keys used to connect downstream SaaS/cloud systems.
• Operational lesson: agent platforms are effectively integration control planes; web security footguns (CORS/CSRF) become infra compromises when the platform also has “run code” features.
• Watch for follow-on abuse: once an attacker has tokens/keys, the next step is usually data exfiltration or tool abuse across connected services (storage, ticketing, CI/CD, etc.).

Why it matters

• Agents concentrate privilege: Langflow-style platforms centralize secrets so agents can call tools. That makes them “OAuth/token jackpots.”
• Browser-to-server escalation: when auth relies on cookies and CORS/CSRF is misconfigured, a user’s browser becomes an unwitting bridge into your internal agent platform.
• “Code execution by design” needs a sandbox: validation / scripting endpoints are common in no/low-code AI tooling; without isolation, they’re effectively an RCE feature.

What to do

1. Patch/upgrade: identify whether you run an affected Langflow version and upgrade to a fixed release per vendor guidance / the write-up’s references.
2. Lock down CORS: do not use wildcard origins with allow_credentials. Only allow the exact UI origins you operate.
3. Harden CSRF: enforce CSRF tokens on state-changing endpoints; prefer SameSite=Lax/Strict where possible and avoid token refresh flows that can be called cross-site.
4. Isolate execution: run Langflow (and any “validate/run code” feature) in a constrained sandbox (container w/ seccomp, no host mounts, minimal network egress, separate secrets).
5. Assume compromise = rotate: if you suspect exposure, rotate all Langflow-stored API keys and review outbound calls made by the platform.

Sources

• Obsidian Security (primary): CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent & Workflow Platform
• Global Security Mag (reports active exploitation claim): CVE-2025-34291: Active Exploitation of LangFlow RCE Confirmed in the Wild
• Langflow source references (linked in the Obsidian post): langflow-ai/langflow