CISA Adds Two Known Exploited Vulnerabilities Affecting Langflow and Trend Micro to Catalog
CISA KEV Catalog Updated: Actively Exploited Langflow and Trend Micro Flaws Demand Urgent Patching
Related Entities
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
On May 21, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling that both are being actively exploited by malicious actors in the wild. The vulnerabilities impact products from Langflow and Trend Micro. The first, CVE-2025-34291, is an Origin Validation Error in Langflow. The second, CVE-2026-34926, is a Directory Traversal vulnerability affecting on-premise instances of Trend Micro Apex One. The inclusion in the KEV catalog triggers Binding Operational Directive (BOD) 22-01, which compels Federal Civilian Executive Branch (FCEB) agencies to patch these flaws by a set deadline. CISA strongly advises all public and private sector organizations to follow suit and remediate these vulnerabilities immediately to reduce their attack surface.
Vulnerability Details
CVE-2025-34291 - Langflow Origin Validation Error
- Product: Langflow
- Vulnerability Type: Origin Validation Error
- Impact: While specific details of the impact are not provided, Origin Validation Errors typically lead to security bypasses. An attacker could potentially trick the application into trusting a malicious origin, allowing them to execute unauthorized actions, steal sensitive data, or perform cross-site scripting (XSS) attacks. Given its addition to the KEV, the exploit likely allows for significant unauthorized access or code execution.
CVE-2026-34926 - Trend Micro Apex One Directory Traversal
- Product: Trend Micro Apex One (On-Premise)
- Vulnerability Type: Directory Traversal (Path Traversal)
- Impact: This vulnerability allows an attacker to access files and directories stored outside the web root folder. By manipulating file path variables (e.g., with
../sequences), an attacker could read sensitive configuration files, source code, or system files containing credentials. In some cases, directory traversal can also lead to arbitrary code execution if an attacker can write files to sensitive locations.
Affected Systems
CVE-2025-34291: All installations of Langflow prior to the patched version.CVE-2026-34926: On-premise installations of Trend Micro Apex One. Cloud-based versions are not affected.
Exploitation Status
Both CVE-2025-34291 and CVE-2026-34926 are confirmed by CISA to be under active exploitation in the wild. This means that threat actors have developed working exploits and are actively using them to compromise vulnerable systems. The urgency for patching is therefore critical. Organizations that have not patched are at high risk of compromise.
Impact Assessment
- Langflow: As a UI for building with Large Language Models (LLMs), a compromise could lead to the theft of sensitive data processed by the LLM, API keys for services like OpenAI, or manipulation of the application's logic.
- Trend Micro Apex One: As an endpoint security product, a vulnerability in the management server is extremely dangerous. An attacker compromising the Apex One server could potentially disable security controls across the entire fleet of endpoints it manages, rendering the organization blind and defenseless against further attacks. This could be a precursor to a widespread ransomware deployment.
The compromise of a central security management tool like Apex One is a worst-case scenario. It's the digital equivalent of an intruder stealing the keys to every room in the building and disabling the alarm system.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
url_pattern..%2f or ..\log_sourceTrend Micro Apex One Logslog_sourceLangflow Application LogsDetection Methods
- Vulnerability Scanning: Use a vulnerability scanner to actively scan your network for instances of Langflow and on-premise Trend Micro Apex One servers. Ensure your scanner has updated plugins to detect
CVE-2025-34291andCVE-2026-34926. - Log Analysis: For Trend Micro Apex One, analyze web server access logs for suspicious requests containing directory traversal patterns. For Langflow, review application and web logs for requests from unexpected or malicious-looking origins. This aligns with D3FEND Network Traffic Analysis.
- EDR: Monitor the Apex One server for any suspicious child processes spawned by the main application services, which could indicate post-exploitation activity.
Remediation Steps
- Patch Immediately: The primary remediation is to apply the security updates provided by Langflow and Trend Micro as soon as possible. Due to active exploitation, this should be treated as an emergency change.
- Verify Patch Installation: After applying the patches, verify that the new version is correctly installed and running.
- Hunt for Compromise: Before and after patching, it is crucial to hunt for signs of compromise. Assume that you may have already been breached. Review logs for any suspicious activity pre-dating the patch.
- Isolate if Unable to Patch: If patching is not immediately possible, isolate the vulnerable servers from the internet and untrusted networks as a temporary compensating control. However, this is not a substitute for patching.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The primary mitigation. Organizations must apply the patches provided by Langflow and Trend Micro immediately.
As a temporary measure, restrict network access to the vulnerable servers, especially from the internet, until patching can be completed.
D3FEND Defensive Countermeasures
For vulnerabilities listed in the CISA KEV catalog, such as CVE-2025-34291 and CVE-2026-34926, Software Update is the single most important and urgent action. The 'known exploited' status means attackers are already using these flaws. Organizations must treat this as an emergency. The patch for Trend Micro Apex One and Langflow should be deployed immediately, bypassing standard, slower-moving change control processes. A dedicated 'emergency patch' procedure should be invoked. The risk of not patching an actively exploited vulnerability far outweighs the risk of a patch causing a minor operational issue. After patching, it is critical to verify that the update was successful across all identified vulnerable systems.
While patching is paramount, Inbound Traffic Filtering can provide a crucial layer of defense, especially against the Trend Micro Apex One Directory Traversal (CVE-2026-34926). A well-configured Web Application Firewall (WAF) can be updated with virtual patching rules to inspect incoming HTTP requests for directory traversal patterns like ../ or ..\. If such a pattern is detected in a request to the Apex One server, the WAF can block it before it ever reaches the vulnerable application code. This can serve as a critical compensating control if an organization cannot patch immediately, and it provides defense-in-depth even after patching. This 'virtual patch' can often be deployed much faster than the software update itself.
Beyond patching, organizations should practice Application Hardening for critical management servers like Trend Micro Apex One. This involves reducing the attack surface by limiting access to the management console to a dedicated and isolated management network or a set of trusted IP addresses (a 'jump box'). The server should not be directly accessible from the internet. By enforcing strict network access control lists (ACLs) on the firewall in front of the server, you can ensure that only authorized administrators can even attempt to connect to it. This would prevent an external attacker from being able to reach the vulnerable web interface in the first place, regardless of whether it is patched or not.
Timeline of Events
CISA adds CVE-2025-34291 and CVE-2026-34926 to the Known Exploited Vulnerabilities (KEV) catalog.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.