Langflow's /api/v1/validate/code Endpoint Was Hit by a Botnet in 2025 and an Iranian APT in 2026. The Procurement Row Is the Design Floor, Not the Patch Cadence.
The Failure
On May 21 2026, CISA added CVE-2025-34291 to the Known Exploited Vulnerabilities catalog, with a federal patch deadline of June 4 2026. The vulnerability is a CVSS 9.4 account-takeover-to-remote-code-execution chain in Langflow, the low-code AI agent workflow platform with 140,000-plus GitHub stars whose parent company DataStax was acquired by IBM in February 2025 and which counts FedEx, Capital One, The Home Depot, and Verizon among its named enterprise customers. CISA's KEV add is the first agent-workflow platform entry on the catalog, and the active-exploitation flag follows Ctrl-Alt-Intel reporting attributing March 2026 initial-access exploitation to MuddyWater, an Iranian state-aligned APT also known as Seedworm. The KEV-listing-as-procurement-clock pattern is one I traced through Copy Fail's shared-kernel SaaS risk; the Langflow listing extends it into agent-platform territory for the first time.
Twelve months earlier, in May 2025, CISA added a different Langflow CVE to the same KEV catalog: CVE-2025-3248, a CVSS 9.8 unauthenticated remote-code-execution flaw in the same endpoint, /api/v1/validate/code. That earlier campaign was a commodity affair: Zscaler's research summary reported GreyNoise telemetry of 361 malicious IPs scanning and exploiting, and Trend Micro attributed the cluster to Flodrix, a DDoS-focused botnet evolved from LeetHozer. The 2025 attackers were opportunists running a Mirai-class business model; the 2026 attackers are running Iranian intelligence collection.
The endpoint is the same and the platform is the same; the buyer-facing question is no longer whether to patch.
The Architecture
CVE-2025-34291 is not a single bug. Obsidian Security's writeup describes it as a three-component convergence in which each individual choice is defensible in isolation and the combination is catastrophic: FastAPI CORSMiddleware configured permissively with allow_credentials=True; a refresh_token_lf session cookie set with SameSite=None Secure and a seven-day lifetime; and a /api/v1/refresh endpoint with no CSRF token. The fourth component, the /api/v1/validate/code endpoint itself, executes arbitrary Python by design as part of the workflow-validation user experience.
The drive-by chain runs as follows. A logged-in Langflow user visits an attacker-controlled page. The attacker's page issues a cross-origin POST to /api/v1/refresh; because the cookie is SameSite=None and CORS allow_credentials is true, the browser attaches the cookie, and the server returns a fresh access token in the response body, which the attacker's JavaScript reads. The attacker then calls /api/v1/validate/code with the fresh token and runs arbitrary Python in the workspace. Obsidian's own sentence is the one to keep on file: "This vulnerability did not stem from a single critical flaw but rather from the convergence of several individually minor configuration choices that, when combined, created a severe attack vector."
The blast radius inside the workspace is not generic RCE. It is, in Obsidian's enumeration, "all sensitive access tokens and API keys stored within the workspace": database passwords, SaaS and cloud-provider tokens, OAuth credentials, and the workflow's global variables that the platform encrypts at rest but decrypts in-process for use. An agent platform is, by job description, a credential and tool aggregator; code execution on that platform decrypts everything the platform was hired to broker. This is the same agent-platform-as-privileged-identity blast radius I mapped after Vercel's Context breach, where the compromise of a tool the security team had not scoped delivered every credential the tool was permitted to hold.
Where the Assumptions Break
The disclosure timeline tells you where the assumption layer failed. Obsidian reported the bug on July 29 2025; VulnCheck assigned a CVE on October 23 2025; public disclosure landed on December 5 2025. That is roughly four months from report to public disclosure, and the vendor's first attempted fix was a frontend-only patch that did not address the underlying CORS, cookie, or CSRF design. Defaults through version 1.6.9 remained exploitable, and the floor moved only at 1.7.0.
The 2025 botnet incident did not change the design assumption either. CVE-2025-3248 closed the unauthenticated path into /api/v1/validate/code at version 1.3.0, but the endpoint's purpose, executing arbitrary code on behalf of authenticated users, was treated as a feature with an authentication gate rather than as a credential-vault-adjacent capability requiring sandboxing or removal. When the auth gate cracked along an entirely different axis (a CORS-and-cookie chain rather than a missing auth check), the same remote-code-execution primitive was available to a new attacker class. This is the patch-vs-by-design line I drew across Semantic Kernel, LangChain, and the broader agent-framework vendor posture: the question that separates vendors is not whether they patch but whether they will commit to removing the primitive.
The pattern is recognizable to anyone who has run third-party diligence on enterprise software: the failure was not in patch velocity but in the platform's design floor. The CISA KEV add forces a 14-day patch on federal civilian agencies and a procurement-disclosure obligation on the vendor, but neither response addresses the structural question of whether an endpoint named /api/v1/validate/code should exist on a platform that brokers production cloud credentials. I learned the diligence reflex doing M&A vendor reviews at Houlihan Lokey: when a target's product reaches into customer credentials by design, you do not score it on its last patch; you score it on the design assumptions it does not let the buyer renegotiate.
The Procurement Floor
The DDQ row a low-code agent vendor has not answered, and which Langflow's twelve-month history makes unavoidable, is a two-part written commitment. First: will the vendor commit, in writing, to either removing or sandboxing endpoints that execute arbitrary code by design, with a documented isolation boundary (separate process, separate credentials, no access to the platform secret store)? Second: will the vendor publish its session-cookie posture and CORS configuration as auditable defaults, with SameSite=Lax as the documented minimum and a buyer-readable allowlist for cross-origin credential attachment?
These are not patch questions. They are floor questions, and they are answerable in a contract redline rather than a SOC 2 attestation. The Langflow case is useful because it exposes both halves: the cookie posture failed (SameSite=None with a seven-day lifetime) and the design floor failed (an RCE-by-design endpoint sitting next to a credential store). A vendor that will commit to the first row but not the second is selling you patch cadence; a vendor that will commit to both is selling you a platform that survives a CORS misconfiguration.
This design-floor row pairs with the five-class framework I covered in the Five Eyes agentic AI procurement questionnaire post, and it sits inside the broader shadow-IT category I flagged in the self-hosted AI shadow-IT vendor questionnaire, where Langflow appeared as a representative case. CVE-2025-34291 is the concrete proof point that shadow-IT framing alone is not enough: the design-floor row needs to be in the master agreement.
What Changed on May 21
The KEV add changed three things on May 21 2026. First, CISA's catalog now contains its first agent-workflow platform entry, which means federal civilian agencies running Langflow are on a 14-day clock and procurement teams at every regulated enterprise have a documentable named-vulnerability event to attach to a contract amendment. Second, the attacker class on the same endpoint shifted from commodity botnet (Flodrix in 2025) to state-aligned APT (MuddyWater in 2026), which matches the trajectory I traced in the Iran prepositioning analysis: Iranian operators are increasingly using software-supply-chain initial access against US financial and enterprise targets. Third, the disclosure record is now public that the vendor's first fix attempt was frontend-only, which materially weakens any "responsible disclosure handled" assurance in a future RFP response.
The action for a buyer running Langflow today is to upgrade to 1.7.0 or later before June 4 2026, audit the workspace's stored credentials and rotate any that were reachable before the upgrade, and add the two-part design-floor row to the next vendor renewal. The action for a buyer evaluating any low-code agent platform is to send the same two questions before the contract is signed and to require the answer in writing. The procurement row is not "what is your CVSS-9 patch SLA?"; it is "name every endpoint on your platform that executes user-supplied code, and describe the isolation boundary between that endpoint and the credentials your platform brokers."
