TP-EXP-2026-0290 CVE-2026-34926 medium Patched AI Draft

Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability (CVE-2026-34926)

CVE CVE-2026-34926 Platform Trend Micro Apex One Type Path Traversal

Severity MEDIUM

Status Patched

Zero-Day No

Disclosed May 21, 2026

CISA KEV Listed

Severity Assessment

Exploitability: 5/10 — NVD records CVSS v3.1 6.7 (MEDIUM), but exploitation requires local server access and high privileges.
Impact: 8/10 — Successful abuse can inject malicious code into agent deployment workflows on affected installations.
Weaponization Risk: 7/10 — CISA KEV inclusion indicates in-the-wild exploitation despite stricter prerequisites.
Patch Urgency: 9/10 — KEV listing with a federal due date indicates immediate remediation priority.
Detection Coverage: 4/10 — Detection depends on server-side integrity monitoring and controlled change auditing.

Summary

CVE-2026-34926 is a directory traversal vulnerability (CWE-23) affecting Trend Micro Apex One (on-premise). NVD describes that an authenticated local attacker with high privileges can modify a key table on the Apex One server and inject malicious code that can later be deployed to agents on affected installations.

NVD rates the issue at CVSS v3.1 6.7 (MEDIUM) with vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L. The vulnerability has also been added to the CISA Known Exploited Vulnerabilities catalog, which confirms exploitation activity and raises operational urgency.

The issue is constrained by prerequisites in the vendor/NVD description: exploitation requires access to the Apex One server plus already-obtained administrative credentials through another method. Even with those constraints, successful abuse can impact downstream managed endpoints.

Exploit Chain

Stage 1: Access to Apex One Server

The attacker first obtains local access to the Apex One on-premise server environment.

Stage 2: Privileged Authentication

The attacker possesses administrative credentials for the server, as required by the vulnerability conditions.

Stage 3: Directory Traversal Abuse and Table Modification

The attacker abuses the traversal flaw to modify a key table on the server.

Stage 4: Malicious Code Injection and Agent Propagation

The attacker injects malicious code into deployment paths that can be propagated to Apex One agents on managed systems.

Detection Guidance

Audit Apex One server changes for unauthorized modifications to key tables and deployment-related configuration data.
Monitor privileged account usage on Apex One infrastructure for unusual local access patterns.
Validate integrity of Apex One deployment content before propagation to agents.
Restrict administrative access paths to the Apex One server and enforce MFA/segmentation controls.
Apply Trend Micro vendor mitigations and version updates as documented in advisory KA-0023430.

Indicators of Compromise

The referenced sources do not provide a stable IOC set such as fixed hashes or attacker infrastructure.

Operational indicators may include:

Unexpected modifications to Apex One server tables or deployment metadata.
Unplanned code artifacts in deployment payloads distributed to agents.
Privileged local server activity that does not map to approved maintenance windows.

Disclosure Timeline

2026-05-21 — Public disclosure and KEV inclusion

NVD publishes CVE-2026-34926 details and CISA adds the vulnerability to KEV.

2026-05-21 — Vendor advisory

Trend Micro publishes guidance for Apex One in advisory KA-0023430.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-21
National Vulnerability Database: CVE-2026-34926 — National Vulnerability Database, 2026-05-21
Trend Micro: Apex One (on-premise) Advisory KA-0023430 — Trend Micro, 2026-05-21