29MAY

AI orchestration flaw joins CISA's KEV

4 min read

14:17UTC

CISA added a CVSS 9.4 Langflow flaw and a Trend Micro Apex One bug to its exploited-vulnerabilities catalogue on 21 May, with a 4 June federal patch deadline.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Two AI orchestration flaws reached CISA's exploited catalogue in three weeks, making the control plane a confirmed attack class.

CISA added two flaws to its KEV catalogue of vulnerabilities confirmed exploited in the wild on Thursday 21 May, with a federal patch deadline of 4 June ¹. The first is CVE-2025-34291 in Langflow, an open-source visual builder for stitching together large-language-model agent pipelines, rated CVSS 9.4: an origin-validation error that combines permissive cross-origin resource sharing, missing cross-site request forgery protection, and an endpoint that runs code by design. The second is CVE-2026-34926 in Trend Micro Apex One on-premises, a directory-traversal flaw rated CVSS 6.7.

Langflow stores API tokens and credentials for every downstream software-as-a-service it integrates, which is what makes the flaw dangerous. A single origin-validation bug does not stop at Langflow; it converts into lateral access across every connected service, the same blast-radius logic that made identity providers high-value targets. A security team that has never inventoried its shadow LLM deployments, often stood up by data Teams rather than security, cannot rotate credentials it does not know are exposed.

The Iran-nexus group MuddyWater was already documented abusing this flaw in a March 2026 analysis. The new fact is the 21 May KEV listing, which confirms in-the-wild exploitation and puts a federal clock on it, not that MuddyWater has only just arrived. Paired with the LiteLLM proxy flaw that UNC6780 exploited within 36 hours of its own KEV listing a fortnight earlier , the pattern is no longer theoretical. The AI orchestration layer, the control plane that connects models to data and tools, now carries two KEV entries in three weeks.

Deep Analysis

In plain English

Langflow is an open-source tool that lets technical teams assemble AI systems without writing code from scratch. Organisations use it to build automated pipelines that connect large AI language models to databases, external websites, and internal services. Because it connects to so many other systems, it typically holds the passwords and access keys for all of them in one place. A serious security flaw in Langflow, rated 9.4 out of 10 by the international vulnerability-scoring standard, has been confirmed as actively exploited in the wild. An Iranian-linked hacking group called MuddyWater was documented exploiting it in March 2026. On 21 May 2026, the US government's cyber agency CISA formally added the flaw to its list of vulnerabilities requiring urgent action, with a federal deadline of 4 June. The risk is that a single compromised Langflow instance can hand attackers the keys to every other system it connects to. Many Langflow deployments were set up by data science teams rather than IT security teams, which means they are often not tracked in organisations' standard security monitoring.

Deep Analysis

Root Causes

AI orchestration platforms aggregate credentials for every downstream service they connect: cloud providers, database systems, external APIs, and model endpoints. Langflow's architecture stores these credentials in an internal SQLite or PostgreSQL database and passes them to agent pipelines at runtime.

A successful exploitation of CVE-2025-34291 gives the attacker full access to this credential store, beyond the Langflow instance itself. The blast radius is proportional to the number and privilege level of downstream integrations, not the Langflow deployment's own network position.

The CORS and CSRF design flaws that compose CVE-2025-34291 are a consequence of Langflow's origin as a single-developer prototyping tool that was later deployed in production environments without a security architecture review. The codebase was designed for local development on localhost, where cross-origin and cross-site request forgery protections are conventionally relaxed. When the tool migrated to shared-server deployments, the permissive defaults followed.

MuddyWater's selection of Langflow as a target reflects a documented Iranian threat-intelligence priority: AI platforms that connect to defence and government research networks. Langflow's open-source positioning and its active user community in universities and government data labs make it a predictable target for an actor seeking access to AI-assisted research pipelines rather than financial data.

What could happen next?

Risk
Shadow AI infrastructure, including Langflow instances deployed by data teams without IT security oversight, now represents a confirmed attack surface that can yield access to the full credential set of an organisation's AI-connected services in a single exploitation.
Immediate · Assessed
Precedent
Two AI orchestration tool KEV entries in three weeks (LiteLLM on 8 May, Langflow on 21 May) establishes the AI control plane as a recognised attack class in CISA's mandatory-action framework, which will accelerate enterprise security teams' inclusion of AI tooling in standard vulnerability management programmes.
Short term · Assessed
Consequence
MuddyWater's documented March 2026 exploitation of Langflow, combined with the KEV classification, creates a notification obligation for UK and EU public-sector organisations under NIS2 and the CS&R Bill's 24-hour incident reporting requirement if they were running unpatched instances during the exploitation window.
Immediate · Assessed

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2017 Apache Struts CVE-2017-5638 exploitation that enabled the Equifax breach followed the same structural path: a widely deployed middleware component running in a category (Java enterprise frameworks) that many organisations did not track in their patch management inventories because it was considered developer tooling rather than production infrastructure.

The flaw was added to a US-CERT alert within days of public disclosure; Equifax had the alert but did not correlate it to an unmanaged Struts instance in its network, which had been in continuous exploitation for 76 days before detection. The Langflow case maps onto this structurally: the flaw class is different (origin-validation vs RCE) but the asset-inventory failure is identical.

Counter-parallel: The 2021 Log4Shell (CVE-2021-44228) response demonstrated that when an AI orchestration-equivalent component (a near-universal Java logging library) faces a CVSS 10.0 flaw with simple exploitation, the patch velocity across the ecosystem is faster than for any previous library-level CVE because the vendor community and CERT network mobilised simultaneously within 72 hours.

Langflow's CVSS 9.4 has not triggered equivalent ecosystem mobilisation, partly because of the asset-inventory gap and partly because the MuddyWater exploitation has remained geographically bounded in its confirmed victim set.

Consensus view: Wiz Research's 2025 AI security survey found that approximately 65% of enterprise AI infrastructure stood up by data science and machine-learning Teams had not been included in the organisation's formal software asset inventory, meaning it was invisible to both patch management and network-segmentation controls.

Langflow installations are predominantly deployed outside standard IT change management because they are treated as data-team tooling rather than production application infrastructure. This inventory gap is the mechanism that converts a CVSS 9.4 flaw into an undetected, unpatched network Node with access to every downstream API key the instance holds.

Counter-view: Unit 42 (Palo Alto Networks) researchers argue in their 2026 AI Threat Intelligence report that the KEV classification of AI orchestration tools overstates operational severity for most enterprises because Langflow is rarely exposed directly to the internet in mature deployments; the more common attack path is lateral movement from a compromised internal host to a Langflow instance on the internal network.

On this reading, MuddyWater's March 2026 documented exploitation targeted organisations where data Teams had bound Langflow to a public IP without a reverse-proxy layer, a deployment pattern common in startup environments and academic research networks.

Key tension: Whether the AI orchestration control plane should be classified as critical infrastructure under CISA's KEV framework, triggering mandatory federal patch deadlines, or whether the two AI-tier KEV entries in three weeks (LiteLLM CVE-2026-42208 on 8 May, Langflow CVE-2025-34291 on 21 May) reflect confirmed exploitation of a genuinely high-value target class rather than a policy classification decision.

Sources:The Hacker News·CISA

Mentions:Known Exploited Vulnerabilities →Palo Alto Networks →Unit 42 →Iran →UNC6780 →LiteLLM CVE-2026-42208 →LiteLLM →CVE-2026-20182 →MuddyWater →CVE-2025-34291 →Langflow →Trend Micro Apex One →CISA →

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

The Hacker News· 29 May 2026

Read original →

Causes and effects

Caused by

LiteLLM SQL injection hits in 36 hours

Langflow's KEV listing follows LiteLLM being exploited within 36 hours of its own KEV addition, establishing a pattern of the AI orchestration layer as a confirmed active attack class.

Occurred 8 May 2026

Read story →

This Event

AI orchestration flaw joins CISA's KEV

Two AI-tier entries in three weeks move the layer that wires models to data and tools from theoretical risk to a confirmed attack class.

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.