FlowiseAI CSV Agent prompt-injection RCE via unsandboxed Python eval
FlowiseAI Flowise builds prior to 3.1.0 evaluate LLM-generated Python from the CSV Agent node without a sandbox, allowing prompt-injection RCE. CVSS 9.8. Fixed in 3.1.0.
- Vendor
- FlowiseAI
- Product
- Flowise (CSV Agent node)
- CVSS
- 9.8
- EPSS (exploit probability)
- N/A
- Status
- patched
- Published
CVE-2026-41264 is a prompt-injection remote code execution flaw in FlowiseAI Flowise, the drag-and-drop LLM application builder. Per NVD, the CSV Agent node evaluates LLM-generated Python without sandboxing. A CSV crafted to prompt-inject the underlying model can therefore produce Python that runs as the Flowise server process. All versions prior to 3.1.0 are affected.
Advisory context
Discovery is credited to Takahiro Yokoyama and coordinated through the Zero Day Initiative. Vendor advisory: GHSA-3hjv-c53m-58jj. NVD record published 2026-04-23. Rapid7 shipped a public Metasploit module targeting the flaw on 2026-07-10 — module path multi/http/flowise_auth_rce_cve_2026_41264, which uses an API key holding chatflows:create as its ingress. The underlying flaw does not require Flowise authentication to trigger; the module’s precondition is a scope choice, not a limitation of the vulnerability.
What to do
Upgrade Flowise to 3.1.0 or later. Inventory any API keys issued against a Flowise instance and their permission scopes — a key with chatflows:create on any pre-3.1.0 build is now a Metasploit target. If the instance is reachable without an API key, the exposure is wider than the module’s default path suggests.
Coverage context and the two-abstraction framing alongside the macOS PackageKit LPE shipped in the same wrap-up: Metasploit Weekly Adds Flowise CSV, macOS PackageKit. Canonical NVD record: CVE-2026-41264.