thehackernews.com web signal

Langflow RCE flaw exploited by Iranian MuddyWater

cybersecurity agents ai-security agent-frameworks

Key insights

  • CVE-2025-34291 in Langflow combines CORS misconfiguration with SameSite=None cookies to reach an authenticated RCE endpoint without attacker privileges.
  • Iranian state group MuddyWater has already weaponized this flaw for initial network access in real-world intrusion campaigns.
  • Federal civilian agencies must patch Langflow by June 4, 2026 under CISA's Known Exploited Vulnerabilities binding directive.

Why this matters

AI agent builders like Langflow sit inside enterprise and government networks as trusted orchestration layers, meaning a single unpatched instance can hand an attacker authenticated code execution against whatever infrastructure the workflow touches. The fact that MuddyWater -- a persistent, Iranian state-linked group -- chose Langflow as an initial access vector signals that adversaries are now actively mapping AI development toolchains as attack surfaces, not just production APIs. Any team running self-hosted LangChain infrastructure, open-source agent builders, or similar orchestration tools needs to treat their AI tooling with the same patch urgency as edge devices and VPNs.

Summary

CISA confirmed active exploitation of a critical vulnerability in Langflow, the open-source drag-and-drop builder used to deploy LangChain-based AI agent workflows, adding CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 21. The flaw, scored 9.4 on CVSS, is a combination attack: an overly permissive CORS configuration paired with SameSite=None cookie settings lets any malicious webpage fire credentialed cross-origin requests directly at an authenticated code-execution endpoint. No special privileges on the attacker's side. A victim just has to be logged in and visit the wrong page. Essentially: (Iranian state group MuddyWater, Langflow) -- a nation-state actor is using an AI infrastructure tool's misconfiguration as an initial access vector into federal and enterprise networks. - CVE-2025-34291 carries a CVSS 9.4 and reaches a code-execution endpoint, making successful exploitation functionally equivalent to remote shell access. - MuddyWater, linked to Iranian intelligence, has used this flaw for initial network access -- meaning it's already past the proof-of-concept stage. - Federal civilian agencies face a hard patch deadline of June 4, 2026 under CISA's binding operational directive. AI agent infrastructure is now a named attack surface in nation-state playbooks, not a theoretical concern.

Potential risks and opportunities

Risks

  • Organizations running unpatched self-hosted Langflow instances after June 4 face both CISA compliance violations and continued exposure to MuddyWater's access campaigns, which could pivot to data exfiltration or lateral movement within AI pipeline infrastructure.
  • LangChain's broader ecosystem reputation takes collateral damage if other self-hosted deployment surfaces (LangServe, LangGraph) are found to share the same CORS/SameSite misconfiguration pattern, triggering a wave of CVE disclosures across the stack.
  • Enterprises that integrated Langflow into internal AI agent workflows without network segmentation may find MuddyWater already has dwell-time access to adjacent systems, with detection timelines measured in months given the group's known persistence tradecraft.

Opportunities

  • API security and AI infrastructure hardening vendors (Traceable AI, Salt Security, Wallarm) can directly address the CORS-plus-authenticated-endpoint attack class that this CVE represents, and now have a named CVE to anchor sales conversations.
  • Managed AI platform providers (Vertex AI Agent Builder, Azure AI Foundry) gain a concrete competitive argument over self-hosted open-source orchestration tools, pointing to the operational security overhead of running unpatched Langflow in enterprise environments.
  • Threat intelligence firms with Iranian APT coverage (Mandiant, Recorded Future, CrowdStrike) can productize MuddyWater's pivot to AI toolchain targeting as a distinct intelligence product line for customers running LangChain-based infrastructure.

What we don't know yet

  • Whether Langflow's maintainers issued a patched release before or after CISA's May 21 catalog addition, and what the lag time was between disclosure and available fix.
  • Which specific federal agencies or enterprise verticals MuddyWater successfully accessed via this flaw -- CISA's advisory did not name affected organizations.
  • Whether SameSite=None cookie defaults in other LangChain-adjacent tools (LangServe, LangGraph deployments) carry analogous CORS exposure that hasn't yet been cataloged.

Originally reported by thehackernews.com

Read the original article →

Original headline: CISA Adds Langflow AI Agent Builder to Known Exploited Vulnerabilities — CORS Flaw Enabling RCE Actively Exploited by Iranian State Group MuddyWater