EXECUTIVE SUMMARY:
CVE-2026-41264 with a CVSS score of 9.2 is a remote code execution vulnerability affecting FlowiseAI Flowise, specifically versions 3.0.13 and below, as well as any other versions that have not been explicitly stated as fixed. The vulnerability exists in the run method of the CSV_Agents class, which lacks proper sandboxing when evaluating LLM-generated Python scripts. An attacker can exploit this vulnerability by leveraging prompt injection techniques to convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. Attackers can achieve this by sending prompts to a chatflow using the CSV Agent node, which may be done by an unauthenticated attacker or an authenticated attacker specifying an attacker-controlled server in a chatflow. This vulnerability allows attackers to execute arbitrary code in the context of the user running the server, resulting in the execution of attacker-controlled commands. The business impact and consequences of exploitation include the potential loss of data, disruption of services, and unauthorized access to sensitive information. Prerequisites or conditions required for exploitation include the ability to send prompts to a chatflow using the CSV Agent node and the presence of an LLM that can generate malicious Python scripts.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-41264 with a CVSS score of 9.2 is a remote code execution vulnerability affecting FlowiseAI Flowise, specifically versions 3.0.13 and below, as well as any other versions that have not been explicitly stated as fixed. The vulnerability exists in the run method of the CSV_Agents class, which lacks proper sandboxing when evaluating LLM-generated Python scripts. An attacker can exploit this vulnerability by leveraging prompt injection techniques to convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. Attackers can achieve this by sending prompts to a chatflow using the CSV Agent node, which may be done by an unauthenticated attacker or an authenticated attacker specifying an attacker-controlled server in a chatflow. This vulnerability allows attackers to execute arbitrary code in the context of the user running the server, resulting in the execution of attacker-controlled commands. The business impact and consequences of exploitation include the potential loss of data, disruption of services, and unauthorized access to sensitive information. Prerequisites or conditions required for exploitation include the ability to send prompts to a chatflow using the CSV Agent node and the presence of an LLM that can generate malicious Python scripts.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Flowise to version 3.1.0.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-3hjv-c53m-58jj