22 May 2026
Reference: CVE-2025-34291
1. What is being reported?
Langflow versions up to 1.6.9 have a security problem where a combination of settings allows hackers to steal special access tokens from users. These tokens let attackers access private parts of the software and run any code they want, effectively taking over the system.
2. What this means in plain English
If your organisation uses Langflow, attackers could break in without needing your password and control your system remotely. This could lead to data loss, disruption, or further attacks. Even if you don’t use Langflow, it’s important to check because this vulnerability is actively being exploited.
3. Could this affect a small business?
Small businesses or charities using Langflow software version 1.6.9 or earlier are at risk. If you do not use Langflow, this vulnerability does not affect you. Check with your IT provider if you are unsure whether Langflow is in use.
4. What to do now
- Contact your IT provider or software supplier immediately to confirm if you use Langflow and which version.
- If you use Langflow, ask for and apply the vendor’s security updates or mitigations without delay.
- If no fix is available, consider discontinuing use of Langflow until it is safe to use.
- Follow any additional guidance from your IT provider regarding cloud services and access controls.
5. Ask your IT provider
Can you confirm if our organisation uses Langflow software version 1.6.9 or earlier, and if so, what steps are being taken to protect us from the known critical vulnerability CVE-2025-34291?
6. Bottom line
If you use Langflow, act quickly to update or stop using it to prevent hackers from taking control of your systems.
Information based on CISA KEV, NVD, and reputable security news reports.