MuddyWater Exploits Langflow Flaw for Initial Access

Langflow is back in the spotlight for the wrong reasons. CISA added CVE-2025-34291 to its Known Exploited Vulnerabilities catalog on May 21 after confirming that Iranian state-sponsored group MuddyWater has weaponized the flaw for initial network access operations.

This marks the second critical Langflow vulnerability to see active exploitation in 2026. In March, we covered how attackers exploited CVE-2026-33017 within 20 hours of disclosure to achieve unauthenticated RCE. The new flaw operates differently—it requires user interaction—but the impact is equally severe.

How CVE-2025-34291 Works

CVE-2025-34291 chains three weaknesses into a devastating attack:

1. Overly permissive CORS configuration — allows cross-origin requests from any domain
2. Missing CSRF protection — no token validation on state-changing requests
3. Code execution by design — Langflow's core functionality includes arbitrary code execution for AI workflows

The attack flow is straightforward: an attacker hosts a malicious webpage that makes authenticated requests to a victim's Langflow instance when they visit. Because CORS allows it and CSRF doesn't block it, the attacker can hijack sessions, steal API keys stored in workspaces, and execute arbitrary Python code—all from a single link click.

Obsidian Security researchers who disclosed the vulnerability described it as enabling "complete account takeover and Remote Code Execution simply by having a user visit a malicious webpage." The CVSS score of 9.4 reflects that reality.

MuddyWater Attribution

Iranian APT group MuddyWater (also tracked as Mango Sandstorm, Mercury, and Seedworm) began exploiting CVE-2025-34291 as an initial access vector in early 2026. The group typically targets government, telecommunications, and energy sector organizations across the Middle East, Central Asia, and North Africa.

MuddyWater's operational pattern involves establishing persistent access through stolen credentials and API tokens, then pivoting to deploy custom malware like PowGoop and POWERSTATS for long-term espionage. Langflow deployments in target environments offer a tempting entry point—they often contain API keys and credentials for multiple downstream services.

The involvement of a sophisticated nation-state threat actor elevates this from a theoretical risk to an active campaign with geopolitical implications.

CISA Remediation Deadline

Federal agencies face a June 4, 2026 remediation deadline under Binding Operational Directive 22-01. Private organizations should treat this deadline as guidance—if federal agencies must patch within two weeks, you probably should too.

Immediate Actions

1. Upgrade Langflow to the latest patched version immediately
2. Rotate all stored secrets — API keys, credentials, and tokens in Langflow workspaces may be compromised
3. Review access logs for suspicious session activity or unexpected workflow executions
4. Restrict network exposure — Langflow instances should not be directly accessible from the internet without authentication
5. Implement CSP headers — proper Content Security Policy can mitigate CSRF attacks as a defense-in-depth measure

Why AI Platforms Keep Getting Hit

This is the second major Langflow vulnerability in three months, and the pattern extends beyond a single vendor. We've covered similar issues in n8n's sandbox escape vulnerability and OpenClaw's credential theft chain. AI workflow platforms combine several high-risk characteristics: they execute arbitrary code by design, they store credentials for downstream services, and they're often deployed quickly to enable experimentation without full security review.

The AI ML security space is experiencing growing pains. Platforms built for rapid prototyping are increasingly deployed in production environments where they become attractive targets. Until vendors mature their security postures and organizations treat AI infrastructure with the same rigor as traditional systems, expect this trend to continue.

For defenders, the lesson is clear: inventory your AI tooling, apply patches aggressively, and assume that threat actors are watching disclosure feeds as closely as you are.