Metasploit Weekly Adds Flowise CSV, macOS PackageKit
Rapid7's Metasploit weekly drops two modules — a Flowise CSV Agent prompt-injection RCE and a macOS PackageKit LPE. New tooling, not new bugs.
Rapid7 shipped its Metasploit weekly wrap-up with two exploit modules that sit at very different points in the stack: a Flowise CSV Agent prompt-injection RCE (CVE-2026-41264, CVSS 9.8) and a macOS PackageKit local privilege escalation (CVE-2024-27822, CVSS 7.8). Both underlying bugs are already known and cited to NVD. What is new is the module.
Flowise: the LLM abstraction has a Python interpreter under it
Flowise is an open-source drag-and-drop builder for LLM applications — chatflows composed of nodes wired together in a visual canvas. The CSV Agent node accepts an uploaded CSV, hands it to the LLM, and asks the LLM to answer questions about it. To do that, the agent evaluates the Python code the LLM produces. Per Rapid7’s writeup, the eval path is not sandboxed.
That means the mechanism of the flaw is not a Flowise bug in the traditional sense of a memory error or an authorization check gone wrong. It is the design decision to let a language model generate code and hand it directly to the interpreter, without an intermediate boundary that treats the model’s output as untrusted input. Prompt-inject the LLM into producing arbitrary Python, upload a CSV that carries the injection, and the Python runs as the Flowise process. Per NVD, all versions prior to Flowise 3.1.0 are affected; Rapid7’s module targets 1.3.0 through 3.0.13. Discovery is credited to Takahiro Yokoyama and coordinated through ZDI; the vendor advisory is GHSA-3hjv-c53m-58jj. Public NVD record: CVE-2026-41264, published 2026-04-23.
The precondition worth noting is authentication, and it is a two-layer story. The underlying vulnerability, per NVD, does not require Flowise authentication to trigger — the sandbox absence is the problem regardless of who reaches the CSV Agent. Rapid7’s module chooses an API-key ingress: it needs a key that holds the chatflows:create permission to script the module cleanly. That distinction matters two ways. First, a Flowise instance reachable without an API key at all is a wider surface than the module’s default path suggests. Second, deployments where a lower-privilege API key was issued for an integration or a developer tool and treated as scoped to “just building chatflows” — the scope already covers the vulnerable surface.
PackageKit: an installer that trusts its own shebang
CVE-2024-27822 is not a new CVE — Apple patched it in the May 2024 macOS Sonoma 14.5 release, with parallel fixes in macOS Ventura 13.6.7 and macOS Monterey 12.7.5. The vulnerability lives in PackageKit, the framework that runs .pkg installer scripts. When a preinstall or postinstall script uses a #!/bin/zsh shebang, the shell is invoked in a way that sources ~/.zshenv from the calling user’s home directory — but the shell itself runs as root, because PackageKit’s installer authorization has already granted root.
A local unprivileged user who can plant a .zshenv in their own home directory has therefore staged a payload that runs as root the next time any PKG installer with a zsh preinstall script executes. Rapid7’s module packages that path: it writes the .zshenv, opens a minimal PKG through Installer.app, and waits for the user to click through the standard installer authentication dialog. Original research is credited to Mykola Grymalyuk with the module contributed by h00die. Patched macOS releases from May 2024 forward do not carry the flaw. Anything older on your fleet still does.
The two abstractions
Neither module discovers anything. What each module does is compress the distance between “this class of bug is documented” and “this class of bug is a repeatable step in an engagement.” That is the news, because it is where detection engineering actually lives.
The Flowise path expands a surface most organisations have not fully inventoried. LLM-application tooling — Flowise, LangChain wrappers, agent frameworks — moves fast, gets deployed in developer environments and internal-facing sandboxes, and rarely appears on the asset-management spreadsheet the SOC is watching. An unsandboxed Python eval reachable through an API key with chatflows:create is exactly the kind of surface that shows up first through a Metasploit run and then through an incident report.
The PackageKit path is the opposite of new. It is a legacy PKG installer behaviour on a patched-two-years-ago flaw, and the module exists because the population of unpatched macOS hosts is still large enough to matter. The physical layer under Apple’s installer UX has not moved: PKG scripts run as root, and shell scripts source rc files. The flaw was that the shell selected happens to run its rc file with the installer’s privileges before the script proper starts. That is the sort of thing that stays quietly working — and quietly exploitable — on any host that has not been dragged through 14.5 or its equivalent point release on the older lines.
The rest of the drop
The same wrap-up ships an apache_htaccess Linux persistence module — a mod_cgi web shell planted via .htaccess, not a new vulnerability so much as a codified TTP. Enhancements include finer-grained Kerberos and certificate tracing, FTP fingerprint refinement, and MCP Server tool-field additions. Two bug fixes: an AARCH64 Windows exe generation issue and RBCD ACE-removal behaviour. None of that changes any exposure — but it moves each of those already-visible techniques a step closer to being a default rather than a plugin.
What to check tonight
Two inventories that are cheaper than they look:
- Flowise: if any team runs it, list the API keys issued against it and their permission scopes. The vendor fix is Flowise 3.1.0; anything on 3.0.13 or earlier — or reachable without an API key on any pre-3.1.0 build — is the Metasploit surface as of this week. Confirm the running version, not the last version anyone remembers deploying.
- macOS: query your MDM (Jamf, Kandji, Intune) for hosts on macOS 14.4 or earlier on the Sonoma line, 13.6.6 or earlier on Ventura, 12.7.4 or earlier on Monterey, and 11.x anywhere. Those are the builds the PackageKit module needs. A single host that reboots into a two-year-old point release after an image restore is the whole exposure.
Neither number should be large on a well-managed fleet. Both are what you check when a new Metasploit module lands, because the module is the signal that the surface just got easier for everyone downstream of the researcher.
Sources
- Rapid7. Weekly Metasploit Update: Exploits for FlowiseAI CSV Agent and macOS Package Kit, 2026-07-10.
- NVD: CVE-2026-41264, CVE-2024-27822.
- Apple. About the security content of macOS Sonoma 14.5.
- FlowiseAI. GHSA-3hjv-c53m-58jj — vendor advisory (fixed in 3.1.0).
- Related coverage: Metasploit’s July 3 Drop: SMB-to-Meterpreter, Peyara.
Found this useful? Share it.
