Technical description
Langflow, an AI agent and workflow platform used to build language-model-driven applications, contains an origin validation error vulnerability stemming from overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None. A malicious webpage can perform cross-origin requests that include credentials and successfully call the refresh endpoint, enabling authenticated access and potential paths to remote code execution.
Attack vector
An attacker hosts a malicious page and tricks a victim with an active Langflow session into visiting it. The page sends cross-origin requests to the Langflow instance; due to the permissive CORS policy and cookie configuration, the victim's browser attaches credentials. The attacker can then obtain tokens, hijack the session, and potentially execute code through Langflow's workflow orchestration capabilities.
Affected systems
Langflow versions prior to 1.9.3. Organizations using Langflow for AI agent development, workflow automation, or LLM orchestration are affected.
Mitigation
Upgrade to Langflow 1.9.3 or later. Apply mitigations per vendor instructions and follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. Federal civilian agencies must apply mitigations by June 4, 2026, per CISA KEV requirement.