The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged two critical vulnerabilities, one in Langflow and another in Trend Micro Apex One, for active exploitation. These newly added entries to CISA’s Known Exploited Vulnerabilities (KEV) catalog highlight ongoing threats that organizations must address promptly to prevent further cyber attacks.
The announcement on May 22, 2026, serves as a stark reminder of the persistent risks posed by zero-day and actively exploited security flaws. Federal agencies are mandated to patch these vulnerabilities by an early June deadline to safeguard their networks against potential breaches.
Langflow Vulnerability Sparks System Compromise Fears
The first vulnerability, designated CVE-2025-34291, affects Langflow and carries a severe CVSS score of 9.4. This flaw is an origin validation error that, if exploited, grants attackers the ability to execute arbitrary code on a victim’s system, leading to a full system compromise. Obsidian Security’s report from December 2025 detailed how this vulnerability arises from a combination of overly permissive Cross-Origin Resource Sharing (CORS) policies, a lack of Cross-Site Request Forgery (CSRF) protection, and an endpoint that inherently allows code execution.
The consequences of exploiting CVE-2025-34291 are significant. According to Obsidian Security, successful exploitation not only compromises the immediate Langflow instance but also exposes all sensitive access tokens and API keys stored within its workspace. This can, in turn, trigger a cascading compromise across all integrated downstream services, including cloud and SaaS environments, creating a broad attack surface.
Further compounding concerns, Ctrl-Alt-Intel reported in March 2026 that the Iranian hacking group MuddyWater has been actively exploiting this vulnerability. Their modus operandi appears to be using the flaw to gain initial access into target networks, a common tactic for sophisticated threat actors.
Trend Micro Apex One Faces Directory Traversal Threat
The second vulnerability added to the KEV catalog is CVE-2026-34926, impacting on-premise versions of Trend Micro Apex One. This flaw has a CVSS score of 6.7 and is classified as a directory traversal vulnerability. Trend Micro confirmed that they have observed at least one attempt at active exploitation in the wild.
Exploitation of CVE-2026-34926 requires specific conditions. A pre-authenticated local attacker must first gain access to the Apex One Server and possess administrative credentials through some other means before they can leverage this vulnerability. Once achieved, the attacker can modify a key table on the server to inject malicious code, which can then be deployed to agents on affected installations.
While the requirements for exploitation are stringent, the potential for widespread impact on managed endpoints makes this a serious concern for organizations relying on Trend Micro Apex One for their endpoint security. The ability to inject malicious code into agents can lead to a broad dissemination of malware or further compromise of secured systems.
Mandatory Patching for Federal Agencies
In response to the active exploitation of these vulnerabilities, CISA has issued a directive requiring all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary security updates. The deadline for compliance is set for June 4, 2026. This swift action is a critical step in mitigating the immediate risks posed by CVE-2025-34291 and CVE-2026-34926, and underscores the importance of maintaining up-to-date security defenses against evolving cyber threats.