CVE-2026-34926 (GCVE-0-2026-34926)
Vulnerability from cvelistv5 – Published: 2026-05-21 13:03 – Updated: 2026-05-22 12:47Summary
A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
This vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.
Severity
6.7 (Medium)
SSVC
Exploitation: active
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Trend Micro, Inc. | TrendAI Apex One |
Affected:
2019 (14.0) , < 14.0.0.17079
(semver)
cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:*:*:*:*:*:*:* |
|
| Trend Micro, Inc. | TrendAI Apex One as a Service |
Affected:
SaaS , < 14.0.20731
(semver)
cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:*:*:*:*:*:*:* |
CISA
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 29739c2a-9ff9-4e9f-924c-b92c406a67b7
Exploited: Yes
Timestamps
First Seen: 2026-05-21
Asserted: 2026-05-21
Scope
Notes: KEV entry: Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability | Affected: Trend Micro / Apex One | Description: Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-06-04 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://success.trendmicro.com/en-US/solution/KA-0023430 ; https://nvd.nist.gov/vuln/detail/CVE-2026-34926
Evidence
Type: Vendor Report
Signal: Successful Exploitation
Confidence: 80%
Source: cisa-kev
Details
| Cwes | CWE-23 |
|---|---|
| Feed | CISA Known Exploited Vulnerabilities Catalog |
| Product | Apex One |
| Due Date | 2026-06-04 |
| Date Added | 2026-05-21 |
| Vendorproject | Trend Micro |
| Vulnerabilityname | Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability |
| Knownransomwarecampaignuse | Unknown |
References
Created: 2026-05-22 17:00 UTC
| Updated: 2026-05-22 17:00 UTC
KEVIntel
Known Exploited Vulnerability - GCVE BCP-07 Compliant
KEV entry ID: 66f8069b-2f96-4ec5-ab9f-22789e603cdf
Exploited: Yes
Timestamps
First Seen: 2026-06-01
Asserted: 2026-06-01
Scope
Notes: KEVIntel entry: A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the... | Affected: Trend Micro, Inc. / TrendAI Apex One, TrendAI Apex One as a Service | CVSS: 6.7 (MEDIUM) | EPSS: 0.01112 | Used in malware: unknown | Not yet in CISA KEV: False
Evidence
Type: Public Report
Signal: Successful Exploitation
Confidence: 70%
Source: kevintel
Details
| Feed | KEVIntel (kevintel.com) |
|---|---|
| Title | A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the... |
| Vendor | Trend Micro, Inc. |
| Product | TrendAI Apex One, TrendAI Apex One as a Service |
| Added Date | 2026-06-01T13:29:30.761Z |
| Cvss Score | 6.7 |
| Epss Score | 0.01112 |
| Cvss Severity | MEDIUM |
| Epss Percentile | 0.61676 |
| Used In Malware | unknown |
| Ahead Of Cisa Kev |
|
| Not Yet In Cisa Kev | False |
References
Created: 2026-06-23 14:03 UTC
| Updated: 2026-06-23 14:03 UTC
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34926",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T03:55:44.534070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-05-21",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T12:47:07.213Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:*:*:*:*:*:*:*"
],
"product": "TrendAI Apex One",
"vendor": "Trend Micro, Inc.",
"versions": [
{
"lessThan": "14.0.0.17079",
"status": "affected",
"version": "2019 (14.0)",
"versionType": "semver"
}
]
},
{
"cpes": [
"cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:*:*:*:*:*:*:*"
],
"product": "TrendAI Apex One as a Service",
"vendor": "Trend Micro, Inc.",
"versions": [
{
"lessThan": "14.0.20731",
"status": "affected",
"version": "SaaS",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.\n\n\r\nThis vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23: Relative Path Traversal",
"lang": "en-US",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T13:03:21.164Z",
"orgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
"shortName": "trendmicro"
},
"references": [
{
"url": "https://success.trendmicro.com/en-US/solution/KA-0023430"
},
{
"url": "https://success.trendmicro.com/ja-JP/solution/KA-0022974"
},
{
"url": "https://jvn.jp/en/vu/JVNVU90583059/"
},
{
"url": "https://www.jpcert.or.jp/english/at/2026/at260014.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "7f7bd7df-cffe-4fdb-ab6d-859363b89272",
"assignerShortName": "trendmicro",
"cveId": "CVE-2026-34926",
"datePublished": "2026-05-21T13:03:21.164Z",
"dateReserved": "2026-03-31T17:22:13.504Z",
"dateUpdated": "2026-05-22T12:47:07.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"cisa_known_exploited": {
"cveID": "CVE-2026-34926",
"cwes": "[\"CWE-23\"]",
"dateAdded": "2026-05-21",
"dueDate": "2026-06-04",
"knownRansomwareCampaignUse": "Unknown",
"notes": "https://success.trendmicro.com/en-US/solution/KA-0023430 ; https://nvd.nist.gov/vuln/detail/CVE-2026-34926",
"product": "Apex One",
"requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
"shortDescription": "Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.",
"vendorProject": "Trend Micro",
"vulnerabilityName": "Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability"
},
"epss": {
"cve": "CVE-2026-34926",
"date": "2026-07-06",
"epss": "0.12682",
"percentile": "0.95783"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-34926\",\"sourceIdentifier\":\"security@trendmicro.com\",\"published\":\"2026-05-21T14:16:45.213\",\"lastModified\":\"2026-06-17T10:39:49.727\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.\\n\\n\\r\\nThis vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.\"}],\"affected\":[{\"source\":\"security@trendmicro.com\",\"affectedData\":[{\"vendor\":\"Trend Micro, Inc.\",\"product\":\"TrendAI Apex One\",\"cpes\":[\"cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"2019 (14.0)\",\"lessThan\":\"14.0.0.17079\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Trend Micro, Inc.\",\"product\":\"TrendAI Apex One as a Service\",\"cpes\":[\"cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:*:*:*:*:*:*:*\"],\"versions\":[{\"version\":\"SaaS\",\"lessThan\":\"14.0.20731\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@trendmicro.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L\",\"baseScore\":6.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.8,\"impactScore\":5.3}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-05-22T03:55:44.534070Z\",\"id\":\"CVE-2026-34926\",\"options\":[{\"exploitation\":\"active\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"cisaExploitAdd\":\"2026-05-21\",\"cisaActionDue\":\"2026-06-04\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability\",\"weaknesses\":[{\"source\":\"security@trendmicro.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-23\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trendmicro:apex_one:*:*:*:*:on-premises:windows:*:*\",\"versionEndExcluding\":\"14.0.0.17079\",\"matchCriteriaId\":\"6F20657B-98A4-46BE-8481-12060262C850\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:trendmicro:apex_one:*:*:*:*:saas:windows:*:*\",\"versionEndExcluding\":\"14.0.20731\",\"matchCriteriaId\":\"322053CC-D396-412E-9F81-7640FE9DB7BD\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/vu/JVNVU90583059/\",\"source\":\"security@trendmicro.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://success.trendmicro.com/en-US/solution/KA-0023430\",\"source\":\"security@trendmicro.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://success.trendmicro.com/ja-JP/solution/KA-0022974\",\"source\":\"security@trendmicro.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://www.jpcert.or.jp/english/at/2026/at260014.html\",\"source\":\"security@trendmicro.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Third Party Advisory\",\"US Government Resource\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-34926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-22T03:55:44.534070Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-05-21\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926\"}}}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34926\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-21T13:50:37.989Z\"}}], \"cna\": {\"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.7, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:trendmicro:apexone_op:14.0.0.17079:*:*:*:*:*:*:*\"], \"vendor\": \"Trend Micro, Inc.\", \"product\": \"TrendAI Apex One\", \"versions\": [{\"status\": \"affected\", \"version\": \"2019 (14.0)\", \"lessThan\": \"14.0.0.17079\", \"versionType\": \"semver\"}]}, {\"cpes\": [\"cpe:2.3:a:trendmicro:apexone_saas:14.0.0.20731:*:*:*:*:*:*:*\"], \"vendor\": \"Trend Micro, Inc.\", \"product\": \"TrendAI Apex One as a Service\", \"versions\": [{\"status\": \"affected\", \"version\": \"SaaS\", \"lessThan\": \"14.0.20731\", \"versionType\": \"semver\"}]}], \"references\": [{\"url\": \"https://success.trendmicro.com/en-US/solution/KA-0023430\"}, {\"url\": \"https://success.trendmicro.com/ja-JP/solution/KA-0022974\"}, {\"url\": \"https://jvn.jp/en/vu/JVNVU90583059/\"}, {\"url\": \"https://www.jpcert.or.jp/english/at/2026/at260014.html\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A directory traversal vulnerability in the Apex One (on-premise) server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.\\n\\n\\r\\nThis vulnerability is only exploitable on the on-premise version of Apex One and a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en-US\", \"type\": \"CWE\", \"cweId\": \"CWE-23\", \"description\": \"CWE-23: Relative Path Traversal\"}]}], \"providerMetadata\": {\"orgId\": \"7f7bd7df-cffe-4fdb-ab6d-859363b89272\", \"shortName\": \"trendmicro\", \"dateUpdated\": \"2026-05-21T13:03:21.164Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-34926\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-22T12:47:07.213Z\", \"dateReserved\": \"2026-03-31T17:22:13.504Z\", \"assignerOrgId\": \"7f7bd7df-cffe-4fdb-ab6d-859363b89272\", \"datePublished\": \"2026-05-21T13:03:21.164Z\", \"assignerShortName\": \"trendmicro\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…