HARDENED Cybersecurity Intelligence | Issue No. 049 · May 25, 2026 · Weekly Flagship · hardened.news |
|
| > The signal. Not the noise. — For teams that defend. |
|
| Enterprise | Cloud & DevOps | Developers | End Users |
|
| Gates cleared: | Gate 1 Active Exploitation | Gate 2 Blast Radius | Gate 3 Canadian |
|
| 01 — // Lead Story — Deep Dive |
|
|
Your Langflow AI Pipeline Is One Browser Visit Away From Full Compromise — CVE-2025-34291 Chains Three Design Flaws Into a No-Credential RCE
CISA confirmed active exploitation of CVE-2025-34291 on May 21, 2026. The vulnerability chains a permissive CORS policy, a SameSite=None authentication cookie, and an arbitrary Python execution endpoint into a complete account takeover and remote code execution path that requires no server-side foothold — only a browser visit from an authenticated user.
Langflow is the open-source visual platform used by developers and data scientists to build, test, and deploy LLM agent pipelines. It provides a drag-and-drop interface for connecting models, tools, memory stores, and APIs — and it ships with a Python code execution endpoint that is, by design, the point of the product. As of version 1.6.9, three weaknesses coexist in every Langflow deployment: the server accepts cross-origin requests from any origin with credentials attached (allow_origins='*' combined with allow_credentials=True); authentication is maintained through a refresh cookie set to SameSite=None; and the code execution endpoint accepts authenticated POST requests. The combination is a complete attack chain. Obsidian Security →
The attack requires no server-side foothold and no credentials from the attacker. An authenticated Langflow user visits a malicious web page — delivered by phishing, a poisoned Slack link, or a compromised third-party site — and that page makes a cross-origin request to the victim’s Langflow instance. Because the server allows any origin with credentials and the refresh token is a SameSite=None cookie, the browser attaches the victim’s session token automatically. The malicious page uses that token to call the code execution endpoint and run arbitrary Python. From that point, the attacker has the same access level as the authenticated user — which in most Langflow deployments means access to all configured API keys, model credentials, database connections, and pipeline data. CISA added CVE-2025-34291 (CVSS v4.0 9.4 / v3.1 8.8) to the Known Exploited Vulnerabilities catalog on May 21, 2026, confirming the vulnerability is being exploited in the wild. CISA KEV → NIST NVD →
The reason this vulnerability matters beyond the CVE mechanics is where Langflow sits in the organization. Unlike a vulnerability in a web server or a database, this one targets an AI development platform that is almost never in the security team’s line of sight. Developers spin up Langflow on internal infrastructure — sometimes behind a VPN, sometimes not — to prototype agent pipelines, connect to production APIs during testing, and iterate on LLM workflows. Security teams often have no inventory of these deployments. The asset may not appear in a software bill of materials, vulnerability scanner, or asset management system. NIST ID.AM-02 requires software inventories to be maintained; CVE-2025-34291 is a case study in what the gap costs when those inventories miss a class of tooling. You cannot patch what you do not know is running.
An upstream patch has not been confirmed as released. The Obsidian Security disclosure states that fixes are planned for version 1.7; at the time of writing, no fixed release is confirmed available. The immediate mitigation is environment-level: restrict CORS origins using the LANGFLOW_CORS_ORIGINS environment variable to trusted origins only, restrict network access to Langflow instances, and disable or air-gap deployments not actively in use. The broader action is an inventory audit. The three-step chain in the risk cards below is a diagnostic tool — any one of the three conditions broken independently eliminates the attack path.
// CVE-2025-34291 — Three Weaknesses, One Attack Chain
FLAW-01 — Critical Permissive CORS With Credentials Langflow’s default CORS configuration sets allow_origins='*' with allow_credentials=True — a combination the browser security model normally prohibits, but which Langflow achieves by reflecting the request origin back as the Access-Control-Allow-Origin header. Any web page can make credentialed cross-origin requests to the server. Mitigation: set LANGFLOW_CORS_ORIGINS to an explicit trusted-origins allowlist. |
FLAW-02 — Critical SameSite=None Refresh Token Cookie The authentication refresh token is stored in a cookie with SameSite=None, which instructs the browser to attach it to all cross-site requests. Combined with the permissive CORS policy, any page the victim visits can trigger an authenticated request to Langflow without the victim taking any action beyond page load. Mitigation: SameSite cookie attributes require a code change; no environment-variable workaround exists. |
FLAW-03 — Critical Arbitrary Python Execution Endpoint Langflow’s code execution endpoint is a legitimate product feature — it runs Python submitted by authenticated users. Flaws 01 and 02 convert this endpoint into a remote code execution vector accessible to any attacker who can deliver a malicious URL to an authenticated user. The endpoint itself is not the vulnerability; it is the consequence surface. Mitigation: disable the endpoint on deployments where code execution is not actively needed, and restrict network access to the Langflow host. |
// Five Actions — Start This Week
| [✓] | Inventory every Langflow deployment in your environment. Ask engineering and data science leads directly — do not rely solely on asset management scans. Developers frequently deploy AI pipeline tooling on internal servers, cloud VMs, or personal workstations that do not appear in standard inventories. |
| [✓] | For every identified deployment running version 1.6.9 or earlier: set LANGFLOW_CORS_ORIGINS to an explicit allowlist of trusted internal origins. Remove wildcard or open-origin configurations immediately. |
| [✓] | Restrict network access to all Langflow instances. These platforms should not be reachable from the open internet. Confirm VPN or network-policy controls are in place and verify they are enforced — not just assumed. |
| [✓] | Suspend deployments not actively in use. If a Langflow instance was stood up for a prototype or proof-of-concept that has since concluded, take it offline. Running an unmonitored AI pipeline platform as an artifact of past work is an unacceptable risk posture while active exploitation is confirmed. |
| [✓] | Broaden the inventory to the full AI framework class. Ask the same questions about LangChain, AutoGen, CrewAI, and any internally built agent orchestration layer. The gap that makes CVE-2025-34291 dangerous — security teams not knowing these platforms are running — applies to the entire category. |
|
HARDENED does not endorse or recommend specific vendors. Tools are listed for awareness only.
|
|
|
AI Pipeline Platforms Are Now Part of the Regulatory Perimeter — Canadian Executives Need to Know It
Canada is among the world’s leading AI research and deployment markets. The federal government, major financial institutions, healthcare systems, and technology firms have all accelerated AI adoption over the past 24 months. That adoption has a security surface that regulatory frameworks are only beginning to map. CVE-2025-34291 is the sharpest illustration yet of the problem: a widely deployed AI development platform, exploitable with no credentials, invisible to most security programs, and now confirmed actively exploited. For Canadian executives, the question is not whether this is a problem worth tracking — it is whether their security programs have the visibility to detect it.
Framework 1 — Federal Privacy Law PIPEDA — AI Pipeline Compromise Is a Reportable Breach Trigger If an attacker exploits CVE-2025-34291 to gain code execution on a Langflow instance that processes personal data — customer records flowing through an AI pipeline, employee data used for an HR automation, patient records in a health-adjacent workflow — that compromise may trigger PIPEDA’s mandatory breach notification obligations. Under PIPEDA, organizations must report breaches that create a "real risk of significant harm" to the Privacy Commissioner of Canada and notify affected individuals. A threat actor with arbitrary code execution on an AI pipeline server has access to every dataset the pipeline touches. Primary source: OPC — Mandatory Reporting of Breaches → |
Framework 2 — Financial Sector Regulation OSFI E-23 — AI Platforms Enter the Model Risk Perimeter OSFI’s E-23 Model Risk Management Guideline (effective May 1, 2027 for federally regulated financial institutions) extends model governance to AI and machine learning systems used in business decision-making. Langflow deployments that build or operationalize models feeding into credit decisions, fraud detection, or customer risk scoring fall within that perimeter. The guideline requires FRFIs to maintain a model inventory, conduct validation, and manage model-related operational risk. A Langflow instance with no inventory entry and an unmitigated critical vulnerability is, under E-23, both a model governance gap and an operational risk event. Primary source: OSFI — E-23 Model Risk Management → |
Framework 3 — Threat Signal CCCS — AI Development Tooling Is an Expanding Attack Surface The Canadian Centre for Cyber Security’s National Cyber Threat Assessment (NCTA) 2025–2026 identifies AI-focused organizations — including AI labs and firms developing or deploying AI models — as higher-priority targets for cyber threat actors, and flags AI-assisted attacks as an expanding capability threat. CISA’s KEV confirmation of CVE-2025-34291 active exploitation is a direct signal relevant to any Canadian organization running Langflow or comparable platforms. CCCS guidance on software supply chain security and developer toolchain hygiene applies equally to AI pipeline frameworks — these are not a separate category; they are software, and they must be inventoried, patched, and monitored accordingly. Primary source: CCCS — NCTA 2025–2026 → |
|
| 03 — // On Our Radar + Patch Priority |
|
// On Our Radar — Signals Worth Watching
| → | CVE-2026-48172 (LiteSpeed cPanel Plugin, CVSS 10.0) — active exploitation confirmed: A logic flaw in the redisAble endpoint allows any cPanel tenant to escalate to root with a single malformed API call; active exploitation in the wild has been reported. Upgrade to LiteSpeed WHM Plugin v5.3.1.0 (bundles cPanel plugin v2.4.7). Organizations managing shared hosting or cPanel-based infrastructure should treat this as immediate. The Hacker News → |
| → | CVE-2026-34926 (Trend Micro Apex One, CVSS 6.7) — CISA KEV, post-compromise escalation: A directory traversal flaw (CWE-23, AV:L/PR:H) lets an attacker holding administrative credentials inject malicious code into a key system table, which Apex One then pushes to every connected endpoint agent across the managed fleet. On-premises builds below 14.0.0.17079 are affected; apply SP1 Critical Patch Build 18012. CISA added this to the KEV catalog May 21, 2026. NIST NVD → |
| → | Project Glasswing — AI finds thousands of vulnerabilities faster than teams can patch them: Anthropic reported May 22, 2026 that Project Glasswing — deploying Claude Mythos Preview to approximately 50 trusted partners — identified thousands of high- and critical-severity bugs in systemically important codebases within one month (secondary reporting puts the figure above 10,000). The operative signal for security leaders: the average patch time is two weeks, and partner organizations report the volume of findings has outpaced remediation capacity — leaving thousands of validated critical bugs unaddressed. AI-accelerated discovery without a scaled patching process creates a prioritization gap that attackers can exploit. Anthropic → |
| → | UEFI Secure Boot KEK certificate expiry — June 24, 2026 (30 days): Microsoft’s Corporation KEK CA 2011 expires June 24; the UEFI CA 2011 follows June 27; the Windows Production PCA 2011 expires October 2026. Organizations with dual-boot Linux configurations or air-gapped systems not receiving automatic firmware updates should confirm remediation plans now. Tracking since Issue #039. Microsoft Support → |
|
| // Patch Priority — This Week |
| P1 — NOW | CVE-2025-34291 — Langflow ≤1.6.9: set LANGFLOW_CORS_ORIGINS, restrict network access, suspend unused instances. CISA KEV; active exploitation confirmed May 21. | Dev / Cloud |
|
| P1 — NOW | CVE-2026-48172 — LiteSpeed cPanel Plugin ≤2.4.4: upgrade WHM Plugin to v5.3.1.0. Active exploitation in the wild; CVSS 10.0. | IT Ops |
|
| P2 — WEEK | CVE-2026-34926 — Trend Micro Apex One <14.0.0.17079: apply SP1 Critical Patch Build 18012. CISA KEV; post-compromise escalation to fleet-wide agent push. | IT Ops |
|
|
HARDENED | HARDENED is published for general informational and educational purposes. All threat data is sourced from publicly available security research and cited accordingly. This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organization. Consult a qualified security professional for implementation guidance specific to your environment. All data as of May 25, 2026. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. hardened.news |
|
|
