VYPR
kevPublished May 21, 2026· Updated May 31, 2026· 6 sources

CISA Adds Langflow and Trend Micro Apex One Flaws to KEV Catalog

CISA has added CVE-2025-34291 (Langflow) and CVE-2026-34926 (Trend Micro Apex One) to its Known Exploited Vulnerabilities catalog due to active exploitation.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation. The newly listed flaws are CVE-2025-34291, an origin validation error in Langflow, and CVE-2026-34926, a directory traversal vulnerability in Trend Micro Apex One (On-Premise). Both vulnerabilities are being actively used by malicious cyber actors and pose significant risks to federal enterprise networks.

CVE-2025-34291 affects Langflow, an open-source low-code tool for building AI agents and RAG applications. The vulnerability is an origin validation error that could allow an attacker to bypass security checks and potentially execute unauthorized actions. Langflow has released patches in version 1.3.1 and later to address the flaw. Organizations running Langflow should update immediately to prevent exploitation.

CVE-2026-34926 is a directory traversal vulnerability in Trend Micro Apex One (On-Premise). This flaw could allow an attacker to read arbitrary files on the affected system, potentially exposing sensitive configuration data or credentials. Trend Micro has released a security patch for Apex One (On-Premise) to remediate the issue. Administrators are urged to apply the patch as soon as possible.

The addition of these vulnerabilities to the KEV Catalog is part of CISA's ongoing effort to track and prioritize vulnerabilities that are actively exploited in the wild. Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date to protect their networks. While BOD 22-01 only applies to federal agencies, CISA strongly recommends that all organizations prioritize patching these vulnerabilities as part of their vulnerability management practices.

CISA will continue to add vulnerabilities to the KEV Catalog that meet the specified criteria, helping organizations focus their resources on the most critical threats. The agency emphasizes that timely remediation of known exploited vulnerabilities is one of the most effective ways to reduce cyber risk.

The article adds attribution for CVE-2025-34291, revealing that Iranian hacking group MuddyWater exploited the Langflow origin validation error to gain initial access to target networks, as reported by Ctrl-Alt-Intel in March 2026. It also provides additional detail on CVE-2026-34926, noting that Trend Micro observed at least one exploitation attempt in the wild, though the attacker must already have administrative credentials to the Apex One server. Federal agencies must apply fixes by June 4, 2026.

TrendAI has now released patches for CVE-2026-34926, a directory traversal zero-day in the on-premises version of Apex One that was exploited in the wild. The vulnerability, discovered internally by TrendAI's incident response team, allows an unauthenticated local attacker with admin credentials to modify a key table and inject malicious code to agents. CISA added the flaw to its KEV catalog on Thursday, ordering federal agencies to patch by June 4. The latest updates also fix several high-severity local privilege escalation bugs.

Trend Micro has now released security patches for the actively exploited directory traversal vulnerability (CVE-2026-34926) in Apex One on-premises servers, which allows local attackers with admin privileges to inject malicious code. The company confirmed that TrendAI observed at least one exploitation attempt in the wild, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to patch by June 4. Additionally, Trend Micro fixed seven local privilege escalation bugs in the Apex One Standard Endpoint Protection agent that could be abused by low-privileged attackers.

Trend Micro has confirmed that CVE-2026-34926, a relative directory path traversal in Apex One, was exploited as a zero-day, with at least one in-the-wild attempt reported by its TrendAI incident response team. The vulnerability affects only the on-premise version and requires prior administrative credentials, but once exploited allows an attacker to modify a key table and inject malicious code into the trusted agent distribution channel. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 4, 2026.

The full disclosure on May 21, 2026, reveals a total of 13 CVEs in Trend Micro Apex One, including two critical remote code execution bugs (CVE-2025-71210 and CVE-2025-71211, both CVSS 9.8) in the management console, a cluster of four Windows agent origin validation flaws (CVSS 7.8), and five macOS agent vulnerabilities spanning TOCTOU and origin validation issues. While CVE-2026-34926 was already added to CISA's KEV catalog, the two critical console RCEs have not been reported as exploited in the wild. Trend Micro has released patches for all 13 vulnerabilities, with cloud-based Apex One deployments unaffected by the zero-day.

Synthesized by Vypr AI