The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Thursday added two security flaws impacting Langflow and Development Micro Apex One to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2025-34291 (CVSS rating: 9.4) – An origin validation error vulnerability in Langflow that might permit an attacker to execute arbitrary code and obtain full system compromise.
- CVE-2026-34926 (CVSS rating: 6.7) – A listing traversal vulnerability in on-premise variations of Development Micro Apex One that might permit a pre-authenticated native attacker to change a key desk on the server to inject malicious code to deploy to brokers on affected installations.
In a report revealed in December 2025, Obsidian Safety stated CVE-2025-34291 exploits three mixed weaknesses: overly Permissive CORS, lack of cross-site request forgery (CSRF) safety, and an endpoint that enables code execution by design.
“The impression is extreme: profitable exploitation not solely compromises the Langflow occasion but additionally exposes all delicate entry tokens and API keys saved throughout the workspace,” the corporate famous on the time. “This could set off a cascading compromise throughout all built-in downstream providers in cloud and SaaS environments.”
In a report revealed in March 2026, Ctrl-Alt-Intel stated the vulnerability had been exploited by an Iranian hacking group named MuddyWater to acquire preliminary entry to focus on networks.
As for CVE-2026-34926, Development Micro stated it “noticed at the very least one occasion of an try to actively exploit certainly one of these vulnerabilities within the wild.”
“This vulnerability is just exploitable on the on-premise model of Apex One and a possible attacker will need to have entry to the Apex One Server and already obtained administrative credentials to the server through another methodology to use this vulnerability,” it added.
In gentle of lively exploitation, Federal Civilian Government Department (FCEB) businesses are required to use the required fixes by June 4, 2026, to safe their networks.
