Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
20MAY

AI orchestration flaw joins CISA's KEV

4 min read
09:58UTC

CISA added a CVSS 9.4 Langflow flaw and a Trend Micro Apex One bug to its exploited-vulnerabilities catalogue on 21 May, with a 4 June federal patch deadline.

TechnologyDeveloping
Key takeaway

Two AI orchestration flaws reached CISA's exploited catalogue in three weeks, making the control plane a confirmed attack class.

CISA added two flaws to its KEV catalogue of vulnerabilities confirmed exploited in the wild on Thursday 21 May, with a federal patch deadline of 4 June 1. The first is CVE-2025-34291 in Langflow, an open-source visual builder for stitching together large-language-model agent pipelines, rated CVSS 9.4: an origin-validation error that combines permissive cross-origin resource sharing, missing cross-site request forgery protection, and an endpoint that runs code by design. The second is CVE-2026-34926 in Trend Micro Apex One on-premises, a directory-traversal flaw rated CVSS 6.7.

Langflow stores API tokens and credentials for every downstream software-as-a-service it integrates, which is what makes the flaw dangerous. A single origin-validation bug does not stop at Langflow; it converts into lateral access across every connected service, the same blast-radius logic that made identity providers high-value targets. A security team that has never inventoried its shadow LLM deployments, often stood up by data Teams rather than security, cannot rotate credentials it does not know are exposed.

The Iran-nexus group MuddyWater was already documented abusing this flaw in a March 2026 analysis. The new fact is the 21 May KEV listing, which confirms in-the-wild exploitation and puts a federal clock on it, not that MuddyWater has only just arrived. Paired with the LiteLLM proxy flaw that UNC6780 exploited within 36 hours of its own KEV listing a fortnight earlier , the pattern is no longer theoretical. The AI orchestration layer, the control plane that connects models to data and tools, now carries two KEV entries in three weeks.

Deep Analysis

In plain English

Langflow is an open-source tool that lets technical teams assemble AI systems without writing code from scratch. Organisations use it to build automated pipelines that connect large AI language models to databases, external websites, and internal services. Because it connects to so many other systems, it typically holds the passwords and access keys for all of them in one place. A serious security flaw in Langflow, rated 9.4 out of 10 by the international vulnerability-scoring standard, has been confirmed as actively exploited in the wild. An Iranian-linked hacking group called MuddyWater was documented exploiting it in March 2026. On 21 May 2026, the US government's cyber agency CISA formally added the flaw to its list of vulnerabilities requiring urgent action, with a federal deadline of 4 June. The risk is that a single compromised Langflow instance can hand attackers the keys to every other system it connects to. Many Langflow deployments were set up by data science teams rather than IT security teams, which means they are often not tracked in organisations' standard security monitoring.

Deep Analysis
Root Causes

AI orchestration platforms aggregate credentials for every downstream service they connect: cloud providers, database systems, external APIs, and model endpoints. Langflow's architecture stores these credentials in an internal SQLite or PostgreSQL database and passes them to agent pipelines at runtime.

A successful exploitation of CVE-2025-34291 gives the attacker full access to this credential store, beyond the Langflow instance itself. The blast radius is proportional to the number and privilege level of downstream integrations, not the Langflow deployment's own network position.

The CORS and CSRF design flaws that compose CVE-2025-34291 are a consequence of Langflow's origin as a single-developer prototyping tool that was later deployed in production environments without a security architecture review. The codebase was designed for local development on localhost, where cross-origin and cross-site request forgery protections are conventionally relaxed. When the tool migrated to shared-server deployments, the permissive defaults followed.

MuddyWater's selection of Langflow as a target reflects a documented Iranian threat-intelligence priority: AI platforms that connect to defence and government research networks. Langflow's open-source positioning and its active user community in universities and government data labs make it a predictable target for an actor seeking access to AI-assisted research pipelines rather than financial data.

What could happen next?
  • Risk

    Shadow AI infrastructure, including Langflow instances deployed by data teams without IT security oversight, now represents a confirmed attack surface that can yield access to the full credential set of an organisation's AI-connected services in a single exploitation.

    Immediate · Assessed
  • Precedent

    Two AI orchestration tool KEV entries in three weeks (LiteLLM on 8 May, Langflow on 21 May) establishes the AI control plane as a recognised attack class in CISA's mandatory-action framework, which will accelerate enterprise security teams' inclusion of AI tooling in standard vulnerability management programmes.

    Short term · Assessed
  • Consequence

    MuddyWater's documented March 2026 exploitation of Langflow, combined with the KEV classification, creates a notification obligation for UK and EU public-sector organisations under NIS2 and the CS&R Bill's 24-hour incident reporting requirement if they were running unpatched instances during the exploitation window.

    Immediate · Assessed
First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026
Read original
Causes and effects
This Event
AI orchestration flaw joins CISA's KEV
Two AI-tier entries in three weeks move the layer that wires models to data and tools from theoretical risk to a confirmed attack class.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.