Zero-DayCISAKEVAI SecuritySupply ChainData Security

Langflow CVE-2025-34291 Hands Over the AI Orchestrator's Credential Stash

June 2, 2026

CISA added CVE-2025-34291 to the Known Exploited Vulnerabilities catalog on May 21, 2026, with a Federal Civilian Executive Branch remediation deadline of June 4, 2026. The vulnerability lives in Langflow, an open-source AI agent and workflow platform with more than 140,000 GitHub stars. The CVSS v4.0 score is 9.4. The exploitation conditions are minimal. An authenticated Langflow user who visits a malicious webpage hands the attacker complete account takeover and remote code execution against the Langflow workspace. Active exploitation was first observed on January 23, 2026. The patch landed in Langflow 1.9.3.

The patch closes the vulnerability. The architectural question that the disclosure raises is what the attacker reaches once the takeover succeeds, and whether the answer needs to be different the next time an AI orchestrator ships a vulnerable release.

What the exploit chain assembles

Three configuration defaults compose into the takeover path. The default CORS policy on the Langflow API sets allow_origins='*' together with allow_credentials=True. The token refresh endpoint sets the refresh cookie with SameSite=None. The code validation endpoint executes code by design. A malicious page invoked by an authenticated Langflow user issues a cross-origin request that carries the refresh cookie, receives a fresh access token, and submits the token to the code validation endpoint. The endpoint runs attacker-supplied code under the authenticated user's session. The session reaches every credential the workspace holds.

The takeover is not a memory corruption exploit. It is not a deserialization sink. It is a composition of permissive defaults that are individually unremarkable and collectively catastrophic. The combination is the disclosure surface. The platform's threat model assumed origin separation, cookie SameSite enforcement, and a code endpoint reserved for trusted callers. Each assumption was load-bearing. Each fails when the others fail.

What the workspace holds

The harvested material is the operator's full AI credential stash. Langflow integrates LLM provider API keys for OpenAI, Anthropic, Google, Mistral, and the long tail of inference vendors. It integrates third-party service tokens for vector databases, retrieval back ends, search providers, and tool APIs. It integrates database credentials for the storage layers that AI workflows write into. A single Langflow workspace concentrates more high-value credential material than a typical developer workstation, because it concentrates the credentials needed to operate AI workflows across the entire stack.

The credential class matters here. An OpenAI or Anthropic API key in an attacker's hands replays cleanly. The receiving system accepts the request from a new origin because the credential carries no attribute that ties it to the original origin, the original principal, the original workload, or the original time window. The replay produces inference calls, token spend, and model access at the attacker's discretion. A vector database credential reaches the embedded representations of the operator's proprietary data. A retrieval backend credential reaches the documents the operator's agents draw from.

Why the AI orchestrator is the concentrated surface

The AI agent and orchestration tier has become the architecture's credential aggregator. The orchestrator is the layer that needs to call every model, every retrieval surface, every database, and every tool API in sequence. That is its job. The implementation reality of the layer is that the credentials accumulate inside it as bearer strings in a workspace configuration store. A compromise of the orchestrator is, by structure, a compromise of every downstream system the orchestrator was wired to.

The Mercor incident in April 2026 was a credential pivot through a poisoned LiteLLM package. The Nx Console incident in May 2026 was a credential pivot through a malicious VS Code extension. The Langflow disclosure is the third instance of the same pattern in 2026. The vector differs each time. The pivot is identical each time. Static bearer credentials at a developer or operator surface are the throughput layer that every variant runs through.

Treating AI credentials as policy-bound data

The structural response is the same as it was for the Nx Console incident and the same as it will be for the next variant. Credentials are data. Bearer strings are data with no policy attached. Policy-bound data objects bind a release policy to the credential through cryptographic enforcement, evaluate the release against principal, host, time, and scope attributes at a policy enforcement point, and write a tamper-evident lineage record on every release decision.

In that architecture, an OpenAI API key inside a Langflow workspace is not a bearer string in a configuration store. It is a wrapped data object with attribute-based release policy. The Langflow process retrieves the wrapped object at the moment it needs to issue a request to OpenAI. The policy enforcement point evaluates the request context, including the host attribute, the calling principal, the time window, and the scope of the requested call. The policy decision returns the unwrapped credential when the context matches and a fail-closed denial when the context does not. An attacker who lands inside the Langflow process through the CORS chain receives wrapped material that fails to unwrap outside the policy.

The model extends to every other credential the orchestrator holds. Vector database tokens, retrieval backend keys, model provider keys, internal database credentials each become wrapped objects with their own release policies. The compromise of the orchestrator no longer cascades into the providers. The receiving providers see release denials at the policy enforcement point rather than authenticated calls from an attacker-controlled session.

What the lineage chain answers for an AI workflow

The incident response burden after a credential-pivot event is dominated by reconstruction. Which keys were valid during the incident window. Which keys were used. Against which providers. From which originating attribute claims. At what spend. With which downstream system contact. For an AI workflow operator, the question extends to model inference: which prompts were submitted, which model versions were used, what training-relevant material may have been exposed through retrieval, and what regulator notification is required as a result.

Merkle-tree lineage over policy decisions compresses the reconstruction into a query. Every credential release writes a record to content-addressed storage anchored in a Merkle tree. The chain answers cryptographically which keys reached which providers during the window, with which originating context, on which timeline. The chain is the artifact that supports a customer notification, a regulator filing, and a board update. The chain is tamper-evident because the storage is content-addressed and the root is independently anchored.

What the CISA deadline reveals about procurement

CISA's KEV addition with a 14-day FCEB remediation window is the public signal that AI orchestration software has entered the same procurement surface as operating systems, browsers, network controllers, and identity providers. The June 4 deadline is binding on federal civilian agencies that have Langflow in production. The procurement implication for the rest of the market is that AI orchestration tooling is now reviewed by the same security criteria as any other production component. Default-permissive CORS, default-permissive cookies, and default-executable code endpoints are now disqualifying defaults in a federal review, not merely sharp edges that operators are expected to file off in deployment.

The disqualifying-defaults framing reaches further than Langflow. Many AI orchestration projects ship with similar defaults because the projects originated as developer convenience tooling and the security expectations of their environments shifted faster than the defaults. The next KEV addition in this category is a question of when, not whether.

How the architecture maps to existing standards

The NIST SP 800-207 Zero Trust Architecture model names the policy enforcement point and the policy decision point as the primitives. The CISA Zero Trust Maturity Model 2.0 scores data and credentials as pillars. The NSA Zero Trust Implementation Guideline Data Pillar v2 of April 2026 explicitly extends the data pillar to credentials, secrets, and tokens. The NIST AI Risk Management Framework Generative AI Profile expects training data lineage and access governance over model outputs. The architecture described above produces evidence in each of these categories by construction rather than by process attestation.

Lattix Technologies binds policy to data objects, including credential and secret objects, through attribute-based access control at the policy enforcement point, post-quantum key encapsulation under ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage in tamper-evident audit storage. The architecture is procurable today against the surface that Langflow, Nx Console, Mercor, and the next variant share. The patch closes the disclosed vulnerability. The architecture closes the pivot.