Critical Langflow Vulnerability Exploited in the Wild, Added to CISA KEV Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-34291, a severe vulnerability in Langflow, to its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation. The flaw, classified as an origin validation error (CWE-346), enables unauthenticated attackers to execute arbitrary code and achieve full system compromise. Affected software includes Langflow, an open-source visual framework widely used for building AI-powered application workflows. The vulnerability stems from an overly permissive Cross-Origin Resource Sharing (CORS) configuration and a SameSite=None refresh token cookie, which allows attackers to bypass browser security controls. Exploitation occurs via a browser-based cross-origin attack: a victim authenticated to a Langflow instance visits a malicious webpage, unknowingly forwarding their session credentials to the attacker. With valid tokens, the attacker accesses authenticated API endpoints, escalates privileges, and executes remote code with the same permissions as the Langflow service often running with elevated system access. CISA added CVE-2025-34291 to the KEV Catalog on May 21, 2026, setting a federal remediation deadline of June 4, 2026, for agencies under Binding Operational Directive (BOD) 22-01. While federal entities must comply, private-sector organizations using Langflow in AI development or production are urged to prioritize patching due to the high risk of remote code execution (RCE). Mitigation steps include applying vendor patches, restricting CORS to trusted origins, reconfiguring session cookies to avoid SameSite=None, and discontinuing use of vulnerable versions if no immediate fixes are available. The flaw’s technical simplicity and potential for widespread impact make it a critical concern for exposed deployments.

Critical Langflow Vulnerability Exploited in the Wild, Enabling Remote Code Execution Threat actors are actively exploiting a high-severity vulnerability (CVE-2026-5027, CVSS 8.8) in Langflow, a popular low-code AI development platform. The flaw, a path traversal issue, allows attackers to write files to arbitrary system locations by manipulating the `filename` parameter in the `POST /api/v2/files` endpoint. According to VulnCheck, the vulnerability enables unauthenticated remote code execution (RCE) due to Langflow’s default auto-login feature, which grants session tokens without credentials. Attackers can exploit the flaw with a single unauthenticated request, as demonstrated by observed in-the-wild attempts that dropped test files on victim systems. The attack surface is significant, with roughly 7,000 internet-exposed Langflow instances, primarily in North America. VulnCheck notes this activity reflects a broader trend of threat actors targeting AI development infrastructure. The vulnerability was publicly disclosed on March 27 by Tenable after prior disclosure attempts failed. Langflow has not yet responded to requests for comment.

Critical Langflow Vulnerability Exploited in the Wild, CISA Issues Urgent Warning The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33017, a severe code-injection vulnerability in Langflow, to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The flaw allows unauthenticated attackers to execute arbitrary code on affected systems, posing a significant risk to organizations using the framework. Langflow, a popular visual framework for building large language model (LLM) applications, is widely deployed in development pipelines. The vulnerability stems from improper code generation controls (CWE-94), insecure evaluation of injected directives (CWE-95), and a complete lack of authentication for critical functions (CWE-306). Attackers can exploit these weaknesses to bypass security checks, inject malicious scripts, and gain control of the application environment all without credentials. Key Details: - CVE ID: CVE-2026-33017 - Affected Software: Langflow - Vulnerability Type: Code injection, missing authentication - Added to KEV Catalog: March 25, 2026 - Federal Remediation Deadline: April 8, 2026 (per CISA’s Binding Operational Directive 22-01) - Ransomware Status: Unconfirmed if used in campaigns CISA has mandated federal agencies to apply mitigations by the deadline, while strongly urging private and public sector organizations to prioritize patching. If no patch is available, administrators are advised to follow CISA’s cloud service guidance or temporarily disable Langflow. The flaw highlights the growing threat to AI-driven development tools, which are increasingly targeted for data exfiltration, lateral movement, and infrastructure compromise. Organizations relying on Langflow are at risk of unauthorized access and network breaches if left unaddressed.

Critical Zero-Day Vulnerability in Langflow AI Platform Exposes Systems to Remote Code Execution A severe security flaw in Langflow, a widely used AI application platform, has been disclosed, allowing attackers to execute arbitrary code remotely via its CSV data-processing agent. The vulnerability, tracked as CVE-2026-27966, carries a critical severity score of 10.0, indicating an immediate and high-risk threat to affected systems. ### Root Cause & Exploitation Mechanism The vulnerability stems from a hardcoded setting in Langflow’s CSV Agent node, which enables users to query or analyze CSV files using a language model (LLM). The issue lies in the `allow_dangerous_code=True` configuration, which is permanently enabled and activates LangChain’s `python_repl_ast` tool a feature designed to execute Python code. Due to the lack of user-controlled toggles for this setting, attackers can exploit it through prompt injection. By crafting malicious prompts in the chat interface, they can trick the AI into running system commands, such as: ``` import("os").system("echo pwned > /tmp/pwned") ``` Since the system executes these commands without validation, attackers can gain full control of the server, enabling data theft, file deletion, or malware installation without requiring authentication or user interaction. ### Impact & Affected Systems The flaw poses a severe risk to any organization using Langflow, as it allows unauthenticated remote code execution (RCE). Exploitation could lead to: - Complete system compromise - Unauthorized data access or exfiltration - Deployment of ransomware or backdoors ### Patch & Mitigation Langflow’s development team released version 1.8.0 to address the issue, likely by disabling the dangerous code execution setting by default. Users are strongly advised to upgrade immediately to prevent exploitation. The official security advisory was published on GitHub, detailing the fix and urging prompt action. The discovery underscores the growing risks of AI-driven automation tools with insecure default configurations, particularly in frameworks handling untrusted input.

A critical unauthenticated remote code execution vulnerability in Langflow was added to CISA’s Known Exploited Vulnerabilities catalog after proof of active exploitation emerged. Langflow, an open-source Python tool used by organizations to visually build and deploy AI agents via a web interface and API, inadvertently exposed more than 500 internet-facing instances and countless internal deployments to hostile actors. By abusing CVE-2025-3248, attackers can execute arbitrary code on exposed servers without any authentication, potentially leading to full system compromise, data theft, ransomware deployment, or pivoting to deeper network resources. Given Langflow’s popularity in automating sensitive workflows, the flaw poses an immediate threat to intellectual property, customer records, and operational continuity across both public and private sector environments. If left unpatched, adversaries could manipulate or leak proprietary AI models, harvest credentials, disrupt services, and undermine trust in critical automation pipelines. CISA’s inclusion of this vulnerability in its KEV catalog underscores the urgent need for patching to prevent widespread damage to organizational integrity and the broader digital infrastructure reliant on Langflow.