Langflow Origin Validation Flaw and Trend Micro Apex One Directory Traversal: When Your AI Tooling and Your Security Tooling Both Become Attack Surfaces

Two CVEs landed on CISA KEV this week, and they make an unusually clean point on their own: one is in a popular open-source LLM workflow tool (Langflow), the other is in an enterprise antivirus product (Trend Micro Apex One). One represents the new attack surface — AI tooling — and the other represents the old, persistent attack surface: the security product itself.

Let me unpack each, then talk about what they say together about Texas SMB security in mid-2026.

1. CVE-2025-34291 — Langflow Origin Validation Error

CISA KEV added: May 21, 2026 · Federal patch deadline: June 4, 2026 · CVSS: 8.6 (High)

Langflow is an open-source visual LLM workflow builder — picture a graphical canvas where you wire up LLM calls, retrieval steps, tools, and outputs without writing code. It is a popular tool for small businesses experimenting with AI workflows, and a lot of consultants ship Langflow-based deliverables to their clients.

CVE-2025-34291 is a CORS misconfiguration combined with a SameSite=None refresh-token cookie. In English: a malicious website visited by an authenticated Langflow user can issue cross-origin requests that the Langflow server will accept, including requests that read and modify the user\’s workflow data and credentials. If the user has saved API keys for OpenAI, Anthropic, or any other model provider in their Langflow workspace, those keys can be exfiltrated.

This is not exotic. A user with Langflow open in one tab visits a compromised website in another tab — and that is enough for the attack to succeed.

How to remediate:

• Upgrade Langflow to 1.6.0 or later per the upstream advisory.
• If your Langflow instance is internet-exposed, put it behind authentication you trust (Cloudflare Access, a VPN, or at minimum HTTP basic auth in front of it).
• Rotate every API key stored in any Langflow workspace. Yes, every one. If the workspace was reachable from the public internet, treat the keys as exposed.
• Audit usage logs at OpenAI, Anthropic, and any other LLM provider for the past 60 days for unusual activity.

2. CVE-2026-34926 — Trend Micro Apex One Directory Traversal

CISA KEV added: May 21, 2026 · Federal patch deadline: June 4, 2026 · Severity: Critical

Trend Micro Apex One is an enterprise endpoint protection product — the kind of antivirus that sits on every workstation in many Texas mid-market environments. CVE-2026-34926 is a directory traversal flaw in the on-premise version that lets an attacker read or write files outside the intended scope. Trend Micro\’s own KB entry confirms exploitation in the wild.

There is a pattern in this. Last month it was Microsoft Defender (CVE-2026-33825). The month before it was a FortiClient EMS pre-auth bypass. Security products themselves have an unusually rich attack surface — they run with high privilege, they touch every file on the system, and they are often the last thing administrators think to patch because "antivirus updates itself."

• Apply the Trend Micro Apex One on-premise patch from the May security bulletin.
• Validate that the patch actually deployed across your fleet. The Apex One management console will lie to you about this if you do not check.
• Audit recent Apex One agent logs for anomalous file activity in the last 30 days.
• If you are running Apex One on internet-facing servers, consider whether those servers need a different posture entirely.

The Pattern: Your AI Tooling and Your Security Tooling Are Both Attack Surfaces Now

Pair these two CVEs and the argument writes itself. Texas small businesses spent the last three years adopting AI tools — Langflow, n8n, Vapi, Retell, ChatGPT integrations, custom Copilot studios — and at the same time relying on a layer of security tooling to keep the rest of the stack safe. Both layers are now real attack surface. Both ship CVEs. Both require the same patching discipline as everything else.

The reflex among small business owners is to assume that AI tooling is "just a SaaS thing" and therefore not their problem to secure, while security tooling is "the security guy\’s problem" and equally not their problem. Both reflexes are wrong. The AI tooling holds your API keys and runs in your browser. The security tooling runs with kernel-level privilege on every laptop you own. Each is a worse compromise than most of the boring software you patch on Patch Tuesday.

The 2026 Stack Inventory

If you have not done one in a while, here is the inventory of categories Texas SMBs should be tracking for KEV-relevant CVE exposure in mid-2026:

• Endpoint protection — Defender, SentinelOne, CrowdStrike, Huntress, Apex One, etc.
• Edge appliances — firewalls, VPN concentrators, SD-WAN controllers, MDM consoles.
• Email security — Microsoft 365 Defender, Proofpoint, Mimecast, KnowBe4.
• Identity — Microsoft Entra, Okta, Auth0, on-prem AD, JumpCloud.
• RMM/PSA — SuperOps, NinjaOne, Atera, ConnectWise, Kaseya.
• Backup — Veeam, Datto, Backblaze, OneDrive sync, anything with persistence.
• AI workflow tools — Langflow, n8n, Make, Zapier, custom Python on a VPS.
• LLM accounts — OpenAI, Anthropic, Google, Mistral, with billing attached.
• Voice/communications — 3CX, Dialpad, RingCentral, Vapi, Retell.
• Cloud platforms — Azure, AWS, GCP, Cloudflare, plus the SaaS suite (Microsoft 365, Google Workspace).

For each category, you should know: What products are in scope? What version? Who owns patching? Are CISA KEV entries against those products being monitored? If you cannot answer those four questions for every category above, that is the project.

Need a 2026 Stack Inventory?

BVTech does this as a one-time engagement for Texas SMBs — fixed fee, transparent pricing, documented output you can hand to a cyber-insurance underwriter or a compliance auditor. Call (210) 538-3669 or email [email protected]. Most engagements take two weeks.

Stay sharp, Texas.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds AWS and 1Password certifications, the Certified Polysomnographic Technologist credential (CPSGT #294), and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.