The Langflow CVEs and Dify Vulnerabilities: What Actually Happened
Langflow's security problems arrived in waves. CVE-2025-3248 introduced a code injection vulnerability allowing remote code execution through unsanitized user input [10]. Months later, [CVE-2025-34291](https://nvd.nist.gov/vuln/detail/cve-2025-34291)CVE-2025-34291 combined a CORS/CSRF chain with an account takeover path, giving attackers full RCE access to any Langflow instance with default configurations [1][9]. Then in early 2026, [CVE-2026-33017](https://labs.cloudsecurityalliance.org/research/csa-research-note-cve-2026-33017-langflow-ai-pipeline-rce-20/)CVE-2026-33017 landed with a CVSS score of 9.3 — an unauthenticated RCE flaw that was exploited in the wild within 20 hours of disclosure [2].
Dify's problems surfaced days later. Security researchers published the "DifyTap" vulnerabilities on June 22-23, 2026: four flaws enabling cross-tenant data exposure, private chat history reading, and unauthorized access to internal APIs [3][4]. A separate SSRF vulnerability (CVE-2025-56520) compounded the exposure [11]. Together, these flaws undermined the isolation guarantees Dify's multi-tenant architecture was supposed to provide.
The common thread across both platforms is structural. Neither enforced robust authentication, input validation, or rate limiting at the traffic layer. The application code assumed trusted inputs. The infrastructure assumed trusted callers. Both assumptions failed.
We've Been Here Before: The WAF Moment for AI
This pattern has a precedent. In the early 2010s, web applications shipped with the same structural blind spots. SQL injection, cross-site scripting, and session hijacking exploited the gap between what application code assumed and what the network actually delivered. Web Application Firewalls didn't replace secure coding. They added a traffic-layer enforcement point that caught what application logic missed.
That layer became essential infrastructure — not because developers stopped writing bugs, but because the attack surface was too large for application code to cover alone.
AI agent platforms face a harder version of this problem. A compromised web application exposes data. A compromised AI agent acts. Agents execute tools, chain outputs across services, and call APIs with delegated authority. An attacker who gains control of an agent doesn't just read your data — they operate with the agent's permissions, calling internal services and triggering workflows.
The blast radius of a compromised agent is fundamentally larger than a compromised web form. According to NeuralTrust's 2026 research, 1 in 5 CISOs (19.5%) report at least one AI agent-related security event [6]. HUMAN Security's 2026 benchmarks found that AI agent traffic grew 7,851% year over year [7].
The ecosystem is responding. On June 23, 2026, the Linux Foundation announced the Agent Name Service (ANS), an initiative to establish trusted identity infrastructure for AI agents [5]. The move signals that agentic AI security is no longer a niche concern — it's an infrastructure category.
Like the WAF moment before it, the answer isn't better application code alone. It's a governance layer at the traffic boundary. This is the problem Kong AI Gateway was built to solve.
What Gateway-Level Security Actually Means for AI Agents
Securing AI agents at the application layer is necessary but insufficient. The traffic layer — where every request, response, and tool call passes through — is where enforcement needs to live. [Kong's AI Gateway](https://konghq.com/products/kong-ai-gateway)Kong's AI Gateway implements four security primitives at this layer:
- Authentication and authorization. Every agent, tool, and model call is authenticated before it reaches the backend. RBAC policies enforce which agents can access which internal services, and identity is verified at the gateway rather than delegated to each downstream application. This is how you govern AI agent access to internal microservices: enforce identity and permission boundaries at the traffic layer, before calls reach service endpoints. Kong supports [securing A2A endpoints with key authentication](https://developer.konghq.com/how-to/secure-a2a-endpoints/)securing A2A endpoints with key authentication as a baseline.
- Input validation and prompt injection protection. Prompt injection remains one of the [OWASP Top 10 LLM vulnerabilities](https://konghq.com/blog/engineering/owasp-top-10-ai-and-llm-guide)OWASP Top 10 LLM vulnerabilities [8]. Kong AI Gateway applies semantic prompt guards that filter malicious inputs by category rather than brittle keyword matching. This catches injection attempts before they reach the model. Kong's [LLM security playbook for injection attacks](https://konghq.com/blog/enterprise/llm-security-playbook-for-injection-attacks-data-leaks-model-theft)LLM security playbook for injection attacks covers additional defensive patterns.
- Rate limiting and cost controls. Without traffic-layer rate limiting, a single compromised agent can generate thousands of LLM calls in seconds, burning through token budgets and amplifying whatever exploit the attacker is running. Kong enforces token-based quotas, team-level rate limits, and cost attribution per request.
- Zero-trust enforcement. In a zero-trust architecture across microservices and AI agents, no caller is trusted by default — every request is authenticated, authorized, and logged regardless of its origin. Kong enforces mutual TLS, validates caller identity at the gateway, and applies per-request policies so that lateral movement from a compromised agent is contained, not amplified. See Kong's guide on [best practices for securing AI microservices](https://konghq.com/blog/engineering/5-best-practices-securing-microservices-scale)best practices for securing AI microservices for implementation patterns.
These aren't features bolted onto a routing proxy. They are the core architecture of [AI Gateway documentation](https://developer.konghq.com/index/ai-gateway/)AI Gateway documentation, built on the same runtime that governs API traffic for thousands of enterprises worldwide. Kong AI Gateway runs at production scale with sub-millisecond latency overhead — because prompt injection protection and zero-trust AI infrastructure shouldn't come at the cost of performance.
Standardization Without Security Is a Blueprint for Risk
The Linux Foundation's Agent Name Service announcement is a positive development [5]. Standardized agent identity, interoperable registries, and trusted naming infrastructure will make multi-agent systems more manageable. Standardization is how ecosystems mature.
But standardization without security primitives built into the infrastructure creates a different risk. Interoperable agents that any system can discover and invoke are powerful. Interoperable agents that any system can discover, invoke, and exploit are dangerous. HUMAN Security's 2026 benchmarks show that AI agent traffic is growing at an unprecedented rate [7].
The lesson from APIs is instructive. API standards like OpenAPI made integration easier. They also made exploitation easier when gateways didn't enforce authentication, rate limits, and access policies consistently.
Kong has spent over a decade ensuring that API connectivity comes with governance built in. The same discipline applies to AI gateway security: every connection governed, every call authenticated, every policy enforced at the traffic layer.
The Gateway Layer Is No Longer Optional
The Langflow and Dify incidents are not edge cases. They are early signals of a structural gap in AI infrastructure. Agent platforms move fast. They execute code, call tools, chain outputs, and operate with real permissions in production environments. Security at the application layer is necessary. Security at the traffic layer is what makes it enforceable.
The comparison to WAFs isn't just a historical analogy. It's a roadmap. Web applications didn't become secure because developers stopped writing bugs. They became secure because the industry built enforcement into the infrastructure.
AI agents need the same architectural intervention. Kong AI Gateway delivers it — authentication, input validation, rate limiting, and zero-trust governance at the traffic layer, with the production-grade performance that comes from running the API infrastructure for thousands of enterprises worldwide.
The question isn't whether AI agent platforms will be attacked. They already are. The question is whether your infrastructure is built to govern the traffic before it reaches the application. Every unprotected agent endpoint is an open invitation.
[See How Kong's AI Gateway Secures AI Agent Traffic - Explore Kong AI Gateway](https://konghq.com/products/kong-ai-gateway)See How Kong's AI Gateway Secures AI Agent Traffic - Explore Kong AI Gateway
FAQs
Start by enforcing security at the traffic layer, not just inside the application. That means authenticating every agent and tool call, validating inputs before they reach models, applying rate limits and token quotas, and logging every request for audit. Kong AI Gateway provides these capabilities at the gateway level, so security policies are enforced consistently across all agent traffic regardless of which frameworks, models, or tools your agents use.
Why were Langflow and Dify vulnerable to attack?
Both platforms lacked gateway-level security controls at the traffic layer. Langflow exposed unauthenticated endpoints that allowed remote code execution without verifying caller identity. Dify's multi-tenant architecture failed to enforce proper isolation, enabling cross-tenant data access. In both cases, the core issue was the same: requests reached application logic without passing through authentication, input validation, or rate limiting at the infrastructure boundary. Kong AI Gateway prevents this class of vulnerability by enforcing these controls before traffic reaches the application.
What security does an AI gateway provide?
An AI gateway sits between your agents and the services they consume, enforcing security policies on every request. Kong AI Gateway specifically provides authentication and RBAC for agent-to-service communication, semantic prompt injection detection, per-request rate limiting and cost controls, PII sanitization, and zero-trust enforcement with mutual TLS. These controls operate at the infrastructure layer, which means they apply uniformly and can't be bypassed by application-level misconfigurations.
References
[1] Obsidian Security. "CVE-2025-34291: Critical Account Takeover and RCE in Langflow." Dec 2025. [https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform](https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform)https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
[2] Cloud Security Alliance. "Langflow RCE CVE-2026-33017: Exploited Within 20 Hours." Mar 2026. [https://labs.cloudsecurityalliance.org/research/csa-research-note-cve-2026-33017-langflow-ai-pipeline-rce-20/](https://labs.cloudsecurityalliance.org/research/csa-research-note-cve-2026-33017-langflow-ai-pipeline-rce-20/)https://labs.cloudsecurityalliance.org/research/csa-research-note-cve-2026-33017-langflow-ai-pipeline-rce-20/
[3] SecurityWeek. "Data Exposure Flaws Threaten Dify AI Platform." Jun 2026. [https://www.securityweek.com/data-exposure-flaws-threaten-dify-ai-platform-powering-over-1-million-apps/](https://www.securityweek.com/data-exposure-flaws-threaten-dify-ai-platform-powering-over-1-million-apps/)https://www.securityweek.com/data-exposure-flaws-threaten-dify-ai-platform-powering-over-1-million-apps/
[4] Dark Reading. "DifyTap Bugs Let Attackers Wiretap AI Chat Histories." Jun 2026. [https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories](https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories)https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories
[5] Linux Foundation. "Agent Name Service Announcement." Jun 2026. [https://www.linuxfoundation.org/press/linux-foundation-announces-intent-to-launch-agent-name-service-to-establish-trusted-identity-infrastructure-for-ai-agents](https://www.linuxfoundation.org/press/linux-foundation-announces-intent-to-launch-agent-name-service-to-establish-trusted-identity-infrastructure-for-ai-agents)https://www.linuxfoundation.org/press/linux-foundation-announces-intent-to-launch-agent-name-service-to-establish-trusted-identity-infrastructure-for-ai-agents
[6] NeuralTrust. "The State of AI Agent Security 2026." 2026. [https://cdn.lawreportgroup.com/acuris/files/Law-Report-Group-Files-New/AI%20Agent%20Part%201%20NeuralTrust%20Report.pdf](https://cdn.lawreportgroup.com/acuris/files/Law-Report-Group-Files-New/AI%20Agent%20Part%201%20NeuralTrust%20Report.pdf)https://cdn.lawreportgroup.com/acuris/files/Law-Report-Group-Files-New/AI%20Agent%20Part%201%20NeuralTrust%20Report.pdf
[7] HUMAN Security. "2026 State of AI Traffic & Cyberthreat Benchmarks." 2026. [https://www.humansecurity.com/learn/resources/2026-state-of-ai-traffic-cyberthreat-benchmarks/](https://www.humansecurity.com/learn/resources/2026-state-of-ai-traffic-cyberthreat-benchmarks/)https://www.humansecurity.com/learn/resources/2026-state-of-ai-traffic-cyberthreat-benchmarks/
[8] OWASP. "Top 10 for LLM Applications." 2025. [https://owasp.org/www-project-top-10-for-large-language-model-applications/](https://owasp.org/www-project-top-10-for-large-language-model-applications/)https://owasp.org/www-project-top-10-for-large-language-model-applications/
[9] NVD. "CVE-2025-34291." [https://nvd.nist.gov/vuln/detail/cve-2025-34291](https://nvd.nist.gov/vuln/detail/cve-2025-34291)https://nvd.nist.gov/vuln/detail/cve-2025-34291
[10] SentinelOne. "CVE-2025-3248: Langflow Code Injection RCE Vulnerability." Jan 2026. [https://www.sentinelone.com/vulnerability-database/cve-2025-3248/](https://www.sentinelone.com/vulnerability-database/cve-2025-3248/)https://www.sentinelone.com/vulnerability-database/cve-2025-3248/
[11] CrowdSec. "CVE-2025-56520: Dify SSRF Vulnerability." Feb 2026. [https://www.crowdsec.net/vulntracking-report/cve-2025-56520](https://www.crowdsec.net/vulntracking-report/cve-2025-56520)https://www.crowdsec.net/vulntracking-report/cve-2025-56520