TL;DR: On May 21, 2026, CISA added Langflow CVE-2025-34291 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active in-the-wild exploitation of a CVSS 9.4 account-takeover and remote-code-execution vulnerability in the popular open-source visual AI workflow framework. Per Obsidian Security's deep technical write-up, the flaw chains an overly permissive CORS configuration with a refresh-token cookie set to SameSite=None and a code-execution endpoint that runs Python by design. Reporting in Cyber Security News attributes some exploitation activity to the Iranian state-sponsored MuddyWater group, with separate Trend Micro research linking exploitation to the Flodric botnet. For NC small businesses that have quietly stood up Langflow, n8n, Flowise, or other "drag-and-drop AI" tools on a developer laptop or a spare VM, this is the moment to inventory, patch, and gate access before the next breach starts inside your own AI workflow.
Key takeaway: Shadow AI is no longer a governance abstraction. A single Langflow instance with default settings, exposed to the internet, and connected to your Microsoft 365 / Google Workspace tokens is a working RCE-to-tenant pivot. NC small businesses must treat AI agent platforms as Tier-1 production infrastructure, not as developer experiments.
Need a shadow-AI audit and AI tool hardening sprint? Preferred Data Corporation has provided AI transformation, managed IT, and cybersecurity services to NC small businesses since 1987. Call (336) 886-3282 or request an AI infrastructure assessment. Serving the Piedmont Triad, Charlotte, and Raleigh metros.
What is Langflow and why are NC small businesses running it?
Langflow is an open-source visual framework that lets developers and non-developers build multi-agent AI applications by dragging and connecting components that wrap large language models, vector databases, and tool integrations. Per Obsidian Security's analysis, the project has tens of thousands of GitHub stars and is widely deployed for prototypes that quietly graduate into production - customer support copilots, internal knowledge bots, RAG pipelines, sales-research agents.
The reason NC SMBs are running it: Langflow lowers the bar to build production-looking AI workflows without hiring an ML engineer. A small manufacturer's IT lead, a construction firm's office manager, or a professional services partner can stand up a working AI agent in an afternoon. That same accessibility is also what makes it dangerous when it inherits OAuth tokens, API keys, and database credentials from the rest of the business.
What is CVE-2025-34291 and why did CISA add it to the KEV catalog?
CVE-2025-34291 is a CVSS v4.0 9.4 vulnerability that chains three weaknesses in Langflow per Obsidian Security's technical analysis and the CISA KEV listing:
- Overly permissive CORS configuration that allows cross-origin requests with credentials from any origin
- A refresh-token cookie with
SameSite=Noneand missing CSRF protection on the refresh endpoint, so a malicious page can silently call the refresh endpoint as the logged-in user - A code-validation endpoint that executes Python by design, which converts the account takeover into remote code execution
The practical attack: an authenticated Langflow user visits a malicious or compromised webpage. The attacker's JavaScript silently posts to the victim's Langflow instance using the victim's cookies, refreshes tokens, and then submits a "validate this code" request that runs attacker-controlled Python on the Langflow host. Game over.
CISA added the CVE to the KEV catalog on May 21, 2026, with a June 4, 2026 federal remediation deadline, which is the agency's standard signal that "this is being exploited right now, prioritize it."
Who is exploiting CVE-2025-34291 in May 2026?
Per Cyber Security News' reporting and Trend Micro's threat intelligence, at least two distinct threat clusters are exploiting CVE-2025-34291 in the wild:
| Actor | Motivation | Activity |
|---|---|---|
| Flodric botnet operator | Financial / commodity | Mass-scanning exposed Langflow instances for cryptomining and tooling deployment |
| MuddyWater (Iran-nexus) | State-sponsored espionage | Targeted exploitation for initial access into networks of interest |
| Initial access brokers | Financial | Selling Langflow-compromised footholds to ransomware affiliates |
For an NC SMB, the most likely first contact is the Flodric botnet's mass scan, not a targeted MuddyWater operation. But because Langflow instances often hold integration credentials to Microsoft 365, Google Workspace, Slack, Salesforce, and internal databases, even an opportunistic infection can cascade into a tenant compromise within hours.
How does Langflow exploitation cascade into a full business compromise?
The risk is not "Langflow runs Python," it is "Langflow holds the keys to everything else." Per Obsidian Security's incident analysis, a compromised Langflow instance typically yields:
- OAuth tokens for Google Workspace, Microsoft 365, Slack, HubSpot, Salesforce, etc., scoped to whatever permissions the workflow author granted
- API keys for OpenAI, Anthropic, Pinecone, Weaviate, and other AI infrastructure providers
- Database credentials stored as connection strings for RAG pipelines
- SSH keys, Git tokens, AWS / Azure / GCP credentials copied into the flow as "secrets"
- Customer data that has flowed through the agent's prompts and outputs
Many of these tokens persist after password rotations and bypass multi-factor authentication, mirroring the Vercel OAuth supply chain pattern we documented in April 2026.
What is the practical 72-hour Langflow defense plan for NC small businesses?
A defensible 72-hour response that compresses cleanup into one work-week:
| Hour | Action | Owner |
|---|---|---|
| 0-4 | Inventory: identify every Langflow / Flowise / n8n / Dify / similar AI workflow tool in the business | IT / IT partner |
| 4-8 | Determine internet exposure for each instance (DNS, reverse proxy, port-forward, ngrok tunnel) | IT |
| 8-24 | Upgrade Langflow to the latest patched release per the project's security advisory | IT |
| 24-36 | Block public access; force authentication via SSO or VPN gateway | IT |
| 36-48 | Rotate every OAuth grant, API key, and database credential the instance held | Workflow owners |
| 48-60 | Search authentication logs for unfamiliar tokens, browser fingerprints, and IPs | IT / managed security partner |
| 60-72 | Re-baseline: document the AI tool inventory, owner, data scope, and authentication mode | Operations lead |
For an NC SMB with no dedicated security staff, this is a realistic two-engineer week. A managed cybersecurity partner can compress it to 48 hours with prebuilt runbooks.
Schedule a shadow-AI assessment →
How do we tell whether a Langflow instance has been compromised?
Per Trend Micro's analysis cited in The Hacker News reporting, indicators of compromise that NC SMBs should look for:
- Unfamiliar Python processes spawned by the Langflow user account on the host
- Outbound connections to mining pools (Flodric botnet pattern)
- Newly created flows with names like
validate,system,eval, or random strings - Unexpected
flow_runrecords in the Langflow database for flows the team did not author - Suspicious activity in connected SaaS tenants within 24-72 hours of a Langflow patch lag (Microsoft 365 sign-in anomalies, Google Workspace OAuth grants the team did not authorize, unusual Salesforce or HubSpot API usage)
If any indicator appears, treat the host as compromised: isolate, image, rebuild, and rotate all connected credentials.
What does a defensible AI tool governance baseline look like for NC SMBs?
Three durable controls move an NC SMB from "exposed" to "managed":
1. AI tool inventory and ownership
Every AI tool in the business gets an entry in a single spreadsheet or registry with: tool name, version, host, owner, data classification, integration list, authentication mode, patch cadence, and last-reviewed date. This converts shadow AI into managed AI and is the foundation of any AI governance program aligned to NIST AI RMF.
2. Network gating
AI workflow platforms should never be directly internet-exposed. Put every Langflow / Flowise / n8n / Dify instance behind SSO, VPN, or a reverse proxy with authentication. This single control eliminates 90%+ of the mass-scanning exposure that the Flodric botnet relies on.
3. Least-privilege integration scoping
Every OAuth grant, API key, and database credential connected to an AI workflow gets scoped to the minimum required permissions. A customer-research agent does not need write access to the CRM. A document Q&A bot does not need send-email permissions. This bounds the blast radius of the next CVE.
These three controls also satisfy the operational requirements emerging in state AI laws like Colorado SB 26-189 (signed May 14, 2026), California's AI transparency rules, and the EU AI Act's deployer obligations.
How does this fit into the broader May 2026 AI security picture?
CVE-2025-34291 is the highest-profile AI workflow CVE so far in 2026, but it is not isolated. The broader pattern across May 2026 is the convergence of three trends:
- AI agent platforms moving from prototype to production faster than security review cycles
- Attackers (criminal and state-sponsored) building tooling specifically for AI agent platforms because they yield rich credential harvests
- CISA and other agencies adding AI tool CVEs to the KEV catalog at an accelerating pace
For NC small businesses, the strategic implication is that AI tool security is now a discrete IT discipline, not a subset of general application security. It requires inventories, runbooks, patch cadences, and identity controls of its own.
How does Preferred Data Corporation help NC small businesses harden AI tool deployments?
We run shadow-AI assessments that find every AI workflow, model endpoint, and self-hosted LLM in use across the business. We implement AI tool inventories and ownership registries. We build patch and rotation runbooks for Langflow, Flowise, n8n, Dify, LiteLLM, and similar platforms. We integrate AI workflow logging into managed SOC monitoring so a credential-harvest pattern triggers an alert in minutes, not days. And we align the program to NIST AI RMF and your relevant state-AI obligations, including Colorado SB 26-189 and EU AI Act deployer requirements where applicable.
Frequently Asked Questions
What is CVE-2025-34291 in plain English?
A bug in the popular open-source AI workflow tool Langflow that lets an attacker take over a logged-in user's account and run arbitrary code on the Langflow server, just by getting the user to visit a malicious webpage. CISA added it to the Known Exploited Vulnerabilities catalog on May 21, 2026 because it is being exploited in the wild.
Should I uninstall Langflow?
Not necessarily. Langflow is a legitimate tool with a strong security response. The correct posture is: upgrade to the latest patched release, put it behind SSO or VPN, scope its integrations to least privilege, and assign an owner who reviews it quarterly. Uninstall only if no one in the business can identify why it was installed in the first place.
How do we know what AI tools are in use across our small business?
Start with a five-minute survey to each department: "What AI tools, agent platforms, or LLM apps are you using or have you tried?" Cross-check against Microsoft 365 / Google Workspace admin OAuth grants, expense reports, and DNS logs. Most NC SMBs find 8-20 AI tools in use, of which 2-5 are unsanctioned. This is the starting inventory for a shadow-AI program.
What is the difference between this Langflow vulnerability and the Vercel breach?
Both involve OAuth tokens cascading into a broader compromise. The Vercel breach started with info-stealer malware on a third-party laptop and rode pre-authorized OAuth grants into a partner tenant. CVE-2025-34291 starts with a vulnerability in a self-hosted AI tool that, once exploited, yields the same kind of OAuth tokens. Different starting points, same blast radius. See our Vercel OAuth supply chain analysis for the broader pattern.
Does the 40-employee Colorado AI Act carve-out cover Langflow exploitation risk?
The Colorado SB 26-189 small-employer carve-out reduces compliance obligations under that statute, but it does not change the cybersecurity exposure created by an exploitable AI tool. Even a 10-employee NC SMB with one Langflow instance and a Microsoft 365 OAuth grant has the same CVE-2025-34291 blast radius as a 500-employee firm. See our Colorado SB 26-189 compliance breakdown for the regulatory detail.
What does a managed AI security engagement actually cost?
A defensible AI tool security program for a 50-200 employee NC SMB typically runs $8,000-$20,000 for initial inventory, hardening, and runbook implementation, plus $750-$2,500 per month for ongoing patch management, monitoring, and credential rotation. Costs scale with the number of in-scope AI tools, not headcount.
What other AI workflow tools have similar exposure to Langflow?
n8n, Flowise, Dify, LiteLLM, AutoGPT-style orchestrators, and many self-hosted LLM gateways share the same architectural pattern: a web UI that stores integration credentials and runs code on behalf of authenticated users. None are inherently dangerous, but all warrant the same inventory, patching, network gating, and least-privilege scoping discipline. Treat them as Tier-1 production systems.
Related Resources
- Vercel OAuth breach: SaaS supply chain risk for NC SMBs
- Colorado SB 26-189 signed: NC small business AI compliance reset
- AI governance for small business risk management
- Shadow AI SaaS apps breach risk for small business NC
- Exposed self-hosted AI LLM infrastructure small business NC
- AI transformation services for NC businesses
- Managed cybersecurity for North Carolina small businesses
About the author: Preferred Data Corporation has provided managed IT, AI transformation, and cybersecurity services to North Carolina small businesses since 1987. Based at 1208 Eastchester Drive, Suite 131, High Point, NC 27265, we serve manufacturers, construction firms, and professional services organizations across the Piedmont Triad, Charlotte, and Raleigh metros. Call (336) 886-3282 or request a shadow-AI assessment.