The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws affecting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerabilities in question are as follows.
CVE-2025-34291 (CVSS Score: 9.4) – An origin validation error vulnerability in Langflow could allow an attacker to execute arbitrary code and compromise the entire system. CVE-2026-34926 (CVSS Score: 6.7) – A directory traversal vulnerability in the on-premises version of Trend Micro Apex One could allow a local, pre-authenticated attacker to modify the key table on the server and inject malicious code, which could then be deployed to agents on affected installations.
Obsidian Security said in a report published in December 2025 that CVE-2025-34291 exploits a combination of three weaknesses: overly permissive CORS, lack of cross-site request forgery (CSRF) protection, and endpoints that allow code execution by design.
“The impact is severe. A successful exploit could not only compromise a Langflow instance, but also expose all sensitive access tokens and API keys stored within the workspace,” the company said at the time. “This could lead to a cascading breach across all integrated downstream services within cloud and SaaS environments.”
Ctrl-Alt-Intel said in a report published in March 2026 that the vulnerability was exploited by an Iranian hacker group named MuddyWater to gain initial access to targeted networks.
Regarding CVE-2026-34926, Trend Micro states that it has “observed at least one instance of an attempt to exploit one of these vulnerabilities in the wild.”
“This vulnerability is only exploitable in on-premises versions of Apex One, and to exploit this vulnerability, a potential attacker would need to have access to the Apex One server and already have administrative credentials for the server through other means,” it added.
In view of active exploitation, Federal Civilian Executive Branch (FCEB) agencies have until June 4, 2026 to apply the necessary fixes to secure their networks.
Source link
