CVE-2025-34291 is a CISA KEV-confirmed critical vulnerability in Langflow — an AI agent workflow platform — that combines a permissive CORS policy with an insecure SameSite=None refresh token cookie to enable cross-site session hijacking and subsequent arbitrary code execution on the underlying system. Federal remediation deadline is June 4, 2026. Any internet-accessible Langflow deployment is directly exposed.