CISA Adds Langflow and Apex One to KEV: A CSO's Read on What's Changing

A guest on the podcast a few months ago said something I keep coming back to. We were arguing about prioritization, and he said, "KEV is the floor, not the ceiling." Meaning, if something's on the Known Exploited Vulnerabilities catalog, you're already late. The actual exploitation started weeks or months before it landed there.

That line came back to me on Thursday. CISA added two new entries to KEV: a critical Langflow flaw and a directory traversal in Trend Micro Apex One on-prem. The same week, they opened a public form inviting the security community to nominate vulnerabilities for KEV inclusion.

Two moves, same week. Both pointing at the same underlying problem.

I want to walk through what's actually in the KEV additions, because the technical detail matters here, and then talk about what the nomination form tells us about where defenders are headed. If you're running security for a B2B software company, there's an angle in this you can't afford to skip.

The Two New KEV Entries

CVE-2025-34291 (Langflow, CVSS 9.4) is the one I'd flag first if you only have time to read one. Langflow is a low-code AI agent workflow platform. The vulnerability is an origin validation error that, in practice, combines three weaknesses sitting on top of each other. Obsidian Security wrote it up back in December: overly permissive CORS, no CSRF protection, and an endpoint that allows code execution by design. The kind of combination that gets through code review when everyone is moving fast.

What makes this one dangerous isn't the RCE on the Langflow instance itself. It's what Langflow holds. A workflow platform like this stores access tokens and API keys for every downstream service it integrates with. So a successful exploit against the Langflow instance becomes a key vault breach with credentials to a dozen connected SaaS apps. Obsidian called it a "cascading compromise" and that framing is correct.

The other detail that made me sit up: Ctrl-Alt-Intel reported in March 2026 that the Iranian threat actor MuddyWater was using this CVE for initial access. State-aligned, financially and politically motivated, with a long history of credential theft as the first move. If MuddyWater is using something as an initial access vector, you can assume two or three other groups have figured out the same path independently.

CVE-2026-34926 (Trend Micro Apex One, CVSS 6.7) is the less flashy one and worth careful reading. Directory traversal in on-premise Apex One. The catch is that exploitation requires a pre-authenticated local attacker with administrative credentials to the Apex One server already in hand. So this isn't your initial access bug. This is the lateral movement bug. The one your attacker uses after they've already gotten somewhere they shouldn't be, to inject code into your endpoint security agents.

Think about that for a second. Your EDR fleet trusts what it's getting pushed from the Apex One management server. A compromised management server pushing malicious code to agents is a near-perfect persistence and disablement vector. Trend Micro has confirmed they've observed at least one active exploitation attempt.

Federal Civilian Executive Branch agencies have until June 4, 2026 to apply the fixes. Everyone else should treat that as the floor.

The Bigger Move: CISA Opens KEV to Community Nominations

This is the part I've been thinking about more.

CISA published a public nomination form this week. Anyone (technology vendors, independent researchers, security teams who've seen exploitation in the wild) can now submit a vulnerability for KEV inclusion. The form asks for the CVE, evidence of exploitation, and mitigation guidance.

Chris Butera, CISA's acting executive assistant director for cybersecurity, said it plainly: "This new reporting capability enhances CISA's ability to identify, validate, and quickly share critical threat information. Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale."

I want to take that at face value first, then say what I think it actually means.

At face value, this is good. CISA has been honest that KEV has historically been a trailing indicator. Dark Reading documented multiple cases back in 2023 where exploitation was happening for months before something got listed. The community sees attacks in the field long before federal agencies do. Opening the door to submissions shortens that loop.

What it actually means, though, is harder. Three things sitting underneath this announcement that nobody is talking about loudly enough:

One, CISA is implicitly acknowledging that their internal threat intelligence pipeline cannot keep pace with the disclosure volume. KEV has been updated six times in the last two weeks. The catalog now lists roughly 1,600 vulnerabilities. That growth rate is not slowing.

Two, NIST is in trouble. The NVD enrichment program (the work that gives a CVE its detailed analysis, scoring, and mitigation context) has been scaled back. NIST said publicly they'll prioritize only the most serious flaws going forward. So the institutional analytical layer underneath the entire US vulnerability disclosure ecosystem is thinner than it was two years ago, and CISA is trying to compensate by crowdsourcing the input side.

Three, validation is going to be the hard part. A public nomination form will get noisy. Researchers chasing CVE clout, vendors trying to force priority on their issues, well-meaning submitters who haven't actually verified exploitation. CISA's validation workload just went up. I'm watching to see what the rejection rate looks like in six months.

What I'm Telling Security Leaders This Week

A few things, in roughly the order I'd act on them.

Patch the two new KEV entries on the federal timeline, even if you're not a federal agency. June 4 is a reasonable target for any organization. The MuddyWater connection on Langflow alone makes that worth doing.

Inventory your AI workflow platforms. Langflow is one tool. There are a dozen others in production at companies right now that share its structural risk: low-code AI orchestration platforms that hold credentials to multiple SaaS systems. If your developers are using Langflow, n8n, Make, Zapier with AI integrations, Pipedream, or any of the AI agent builders, you need to know which ones, where they're hosted, and what they have access to. The cascading compromise pattern isn't going away.

Re-look at how you detect OAuth token theft and API key abuse. If your detection stack is still primarily endpoint-and-network focused, you're not going to see the cascade phase of one of these attacks until after the credentials are already being used somewhere downstream. SaaS-to-SaaS lateral movement is the new lateral movement, and the visibility tooling is not where it needs to be in most programs I see.

Update your incident response runbook for the AI integration cascade scenario specifically. Walk through what happens if a Langflow instance gets popped. Who do you call at each downstream service to revoke tokens? How fast can you cycle credentials across twelve integrated apps? If the answer is "we'd figure it out," that's the gap.

For B2B SaaS teams, your buyers' security reviews are going to start asking about your AI workflow tool inventory. They've already been asking about SOC 2 Type 2 and your Trust Center. The next wave of vendor due diligence questions will go deeper into your AI integration surface, and the vendors who can answer cleanly will close faster.

Five Predictions for the Next Twelve Months

I try to be careful with predictions because the cybersecurity field is full of people who confidently predicted the wrong thing. With that caveat:

One. We'll see at least three more AI workflow platform vulnerabilities land on KEV in 2026. The Langflow pattern (low-code AI orchestrator holding credentials) is going to repeat across the category.

Two. State-aligned actors will continue to prioritize AI integration layers as initial access vectors. MuddyWater isn't unique. The pattern is rational from their perspective: one foothold, many credentials.

Three. CISA's nomination form will produce signal in the first 90 days because the early submitters will be high-quality. After that, the signal-to-noise ratio will get harder, and CISA will need to publish their validation criteria more transparently.

Four. NIST's NVD scale-back will accelerate the shift of analytical work to private vendors. Expect to see consolidation in the threat intel and vuln intel space over the next eighteen months as the public-good infrastructure thins out.

Five. The "trailing indicator" critique of KEV will get sharper, not softer. Defenders who treat KEV as a primary signal will fall behind. The teams who win will be the ones who instrument their own environments well enough to spot exploitation telemetry before it shows up in any catalog.

Where Cyberbase and YSecurity Fit Into This

I want to be honest about my own positioning before I make it.

I'm the CSO at Cyberbase and I founded YSecurity. Both companies do work that intersects with what I just laid out, and I think the connection is worth naming.

Cyberbase is a deal accelerator for B2B software companies. The product handles AI contract redlining, due diligence automation, and the Trust Center. The reason that matters in the context of this story: when your buyer's security team starts asking deeper questions about your AI integration surface, you need to answer faster than your competitor. Augment Code processed 155 contracts and saved 743 hours using us. That kind of speed advantage is what matters more, not less, when the disclosure landscape is moving like this.

YSecurity is the advisory practice. Different company. Same founders. When a customer needs hands-on senior security work (program design, penetration testing, incident response readiness, board-level guidance), that's where it lives. The advisory and the software are independent but adjacent.

In a vulnerability landscape this dynamic, the teams that hold up are the ones with good software and good people working together. Tooling alone won't get there. Senior advisory alone won't either. Both, paired well, will.

The Quiet Read

KEV is necessary infrastructure. CISA opening it to community input is a meaningful move. Neither of those facts changes the underlying reality, which is that defenders need to stop treating external advisory catalogs as the primary signal for what's happening in their own environment.

Your security operations posture should be able to detect exploitation before CISA tells you about it. That's the bar. Most programs aren't there. The ones moving toward it are the ones I'm betting on for the next five years.

Patch Langflow and Apex One by June 4. Inventory your AI workflow tools this week. And get your detection stack in a state where you can spot a credential cascade before your downstream SaaS vendor sends you a notification.

That's the read.

Want to harden your vendor due diligence and security review response cycles? Book a 15-minute walkthrough of Cyberbase.

Need senior security advisory support for your program? YSecurity provides hands-on security leadership for B2B software companies. Jon also hosts The Security Podcast of Silicon Valley, where security practitioners talk about the work in plain language.