CISA updated its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, adding two high-severity flaws that are under active attack. The vulnerabilities—CVE-2025-34291 in the Langflow low-code AI application builder and CVE-2026-34926 in Trend Micro Apex One on-premise—now require immediate remediation from U.S. federal agencies under Binding Operational Directive (BOD) 22-01. Both flaws allow remote code execution, and CISA’s move confirms that threat actors are exploiting them in the wild.

The KEV catalog currently holds over 1,100 entries, each representing a vulnerability with verified exploit activity. CISA updates the catalog on a rolling basis, but additions always carry heightened urgency. In this case, the two new entries spotlight the growing attack surface in AI development tools and the persistent targeting of endpoint security products.

Langflow CVE-2025-34291: AI Tool Under Fire

CVE-2025-34291 affects Langflow, an open-source visual framework for building AI agents and workflows using LangChain. The tool enables developers to create complex AI applications via a drag-and-drop interface, and it has gained popularity in enterprise environments for rapid prototyping and deployment of large language model (LLM)-powered apps. Langflow can be self-hosted or deployed in cloud environments, often exposed to internal networks or, in some misconfigurations, the internet.

Specific technical details of the vulnerability remain under embargo by CISA and the Langflow maintainers, but the KEV listing classifies it as a remote code execution (RCE) bug. Given Langflow’s architecture, an RCE flaw could allow an attacker to craft malicious input—potentially through a crafted API request or a poisoned flow component—that executes arbitrary commands on the underlying server. Successful exploitation would grant full control over the Langflow instance, including access to sensitive data, model endpoints, and connected internal systems.

Security researchers have previously warned about supply-chain and injection risks in AI development tools. Langflow handles user-provided Python code snippets, API keys, and model configurations, making it a high-value target. If an attacker compromises a Langflow instance, they could pivot to other critical infrastructure, steal credentials, or manipulate AI model outputs.

CISA’s advisory does not specify the attack vector or threat actor, but the rapid addition to the KEV suggests in-the-wild exploitation is confirmed, likely through publicly available proof-of-concept code or targeted attacks. Organizations using Langflow—especially those in federal agencies—must immediately apply patches or mitigations. While an official vendor advisory is expected, Langflow maintainers typically release fixes on GitHub, and users should monitor the project’s repository.

Trend Micro Apex One CVE-2026-34926: Endpoint Security in the Crosshairs

The second KEV addition, CVE-2026-34926, targets Trend Micro Apex One on-premise, a widely deployed endpoint detection and response (EDR) solution. Apex One protects millions of endpoints globally, and its on-premise version is common in government, defense, and critical infrastructure sectors. Exploiting a vulnerability in such a product is a nightmare scenario: an attacker can leverage the security tool itself to disarm defenses and roam freely.

Like the Langflow flaw, CVE-2026-34926 is an RCE vulnerability. Details are sparse pending Trend Micro’s official bulletin, but historical patterns suggest the bug may reside in the product’s web management console, update mechanism, or a core service that listens on the network. Because Apex One operates with high privileges to scan and remediate threats, any code executed through it runs with SYSTEM-level access on Windows endpoints.

Active exploitation of Apex One vulnerabilities has a long history. Threat actors—including state-sponsored groups and ransomware operators—have repeatedly targeted Trend Micro products to gain initial access or disable security controls. In 2023, CISA added multiple Apex One flaws to the KEV, and just months ago a separate RCE bug (CVE-2025-XXXXX) was exploited in the wild. CVE-2026-34926 continues this trend, underscoring the criticality of keeping endpoint security platforms updated.

The timing is particularly concerning because on-premise Apex One installations often lag behind SaaS counterparts in patch adoption. Many administrators delay updates due to compatibility testing or uptime requirements, leaving a window of exposure that attackers are now exploiting.

The KEV Mandate and Federal Response

BOD 22-01 gives federal civilian executive branch (FCEB) agencies 14 days from a vulnerability’s addition to the KEV to remediate it. For CVE-2025-34291 and CVE-2026-34926, the deadline is June 4, 2026. Agencies must identify affected assets, apply vendor patches, or implement compensating controls such as network segmentation or temporary service disabling. CISA expects agencies to report compliance through the CyberScope platform.

While the directive only legally binds federal agencies, CISA “strongly urges” all organizations—state and local governments, critical infrastructure, and private enterprises—to prioritize these vulnerabilities. Given the confirmed active exploitation, security teams should treat these CVEs as emergency patches, not routine maintenance.

Broader Implications for Enterprise Security

These two KEV additions highlight three overlapping security challenges:

  • AI development infrastructure is the new attack surface. Langflow and similar tools are often deployed without the same rigor as traditional IT systems. Developers may prioritize speed over security, leaving default configurations, weak authentication, or overly permissive network exposure. With AI pipelines now central to business operations, a compromise can have cascading effects.
  • Endpoint security products are double-edged swords. They carry immense privileges and sit on every device. A flaw in such a product bypasses all defenses and gives attackers a stealthy foothold. The repeated exploitation of Apex One signals that attackers are aggressively studying these platforms for weaknesses.
  • Supply chain and interconnected risk persist. Many organizations run both Langflow and Trend Micro in their environments. An attacker who gains access via Langflow could then exploit the Apex One vulnerability to move laterally, escalate privileges, or disable security monitoring.

Patching these two vulnerabilities in isolation may not suffice. Organizations should review their entire software inventory for similar risks, especially for internet-facing applications and high-privilege security tools.

Remediation Steps and Defensive Measures

Immediate actions for defenders:

  1. Patch now. Check Langflow’s GitHub repository and Trend Micro’s advisory portal for the latest security updates. Apply patches as soon as they are available, prioritizing internet-exposed instances.
  2. Isolate vulnerable systems. If patching is delayed, segment Langflow servers and Apex One management consoles from the rest of the network. Disable any unnecessary remote access or web interfaces.
  3. Hunt for indicators of compromise (IOCs). CISA has not yet published IOCs, but organizations can monitor logs for unusual access to Langflow endpoints, unexpected process execution on Apex One servers, or anomalous traffic to known malicious infrastructure.
  4. Review access controls. Ensure that Langflow uses strong authentication, and that Apex One management ports are not exposed to the internet. Harden configurations by following vendor best practices.
  5. Deploy compensating controls. For Apex One, consider enabling application control policies to restrict execution from untrusted paths. For Langflow, use network-level whitelisting for API access.

In the longer term, organizations should integrate vulnerability intelligence feeds that automatically flag KEV additions into their patch management workflows. Automating the response to BOD 22-01 requirements can drastically reduce mean time to remediation.

Industry Reaction and the Road Ahead

While official statements from Langflow and Trend Micro are still forthcoming, the infosec community has already raised alarms on social media and forums. Early reports suggest that proof-of-concept code for CVE-2025-34291 may be circulating, lowering the bar for opportunistic attacks. On the other hand, CVE-2026-34926 may be chained with other exploits to deliver ransomware or backdoors.

The AI-powered attack vector is particularly worrying. A compromised Langflow instance could be abused to poison an organization’s internal LLMs, extract training data, or generate malicious content that evades traditional security filters. As generative AI becomes embedded in business workflows, vulnerabilities like CVE-2025-34291 become critical business risks, not just IT problems.

For Trend Micro, the challenge is reputational as well as technical. Repeated vulnerabilities in a flagship security product erode customer trust. The company must not only patch quickly but also communicate transparently about root causes and future hardening efforts.

CISA’s KEV catalog continues to evolve as a vital tool for prioritizing remediation. By focusing on vulnerabilities with real-world attacks, it cuts through the noise of thousands of CVEs published each year. For defenders, the catalog is a “must-patch” list that should drive patching cadence and security investments.

As we head into the second half of 2026, these two entries reinforce the old but often ignored truth: complexity is the enemy of security. Whether it’s a low-code AI builder or a hardened endpoint protection platform, any internet-connected code can be turned against its owner if not aggressively maintained. With CISA’s spotlight now on them, Langflow and Trend Micro users have no more excuses for delay.