CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
CISA added Langflow and Trend Micro Apex One vulnerabilities to its KEV catalog due to active exploitation.
Summary
CISA added CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One to its Known Exploited Vulnerabilities catalog. The Langflow vulnerability is being exploited by MuddyWater, while Trend Micro has observed active exploitation attempts in the wild. FCEB agencies must apply fixes by June 4, 2026.
Full text
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV Ravie LakshmananMay 22, 2026Vulnerability / Cyber Attack The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could allow an attacker to execute arbitrary code and achieve full system compromise. CVE-2026-34926 (CVSS score: 6.7) - A directory traversal vulnerability in on-premise versions of Trend Micro Apex One that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. In a report published in December 2025, Obsidian Security said CVE-2025-34291 exploits three combined weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) protection, and an endpoint that allows code execution by design. "The impact is severe: successful exploitation not only compromises the Langflow instance but also exposes all sensitive access tokens and API keys stored within the workspace," the company noted at the time. "This can trigger a cascading compromise across all integrated downstream services in cloud and SaaS environments." The vulnerability has since been exploited by an Iranian state-sponsored hacking group named MuddyWater to obtain initial access to target networks, according to a Ctrl-Alt-Intel analysis published in March 2026. As for CVE-2026-34926, Trend Micro said it "observed at least one instance of an attempt to actively exploit one of these vulnerabilities in the wild." "This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability," it added. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by June 4, 2026, to secure their networks. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE Tweet Share Share Share SHARE Apex One, CISA, Code Execution, cybersecurity, Directory Traversal, KEV, Langflow, MuddyWater, Trend Micro, Vulnerability ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure
Indicators of Compromise
- cve — CVE-2025-34291
- cve — CVE-2026-34926