Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-41264

FlowiseAI CSV Agent prompt-injection RCE via unsandboxed Python eval

FlowiseAI Flowise builds prior to 3.1.0 evaluate LLM-generated Python from the CSV Agent node without a sandbox, allowing prompt-injection RCE. CVSS 9.8. Fixed in 3.1.0.

cat cve-2026-41264.json
Vendor
FlowiseAI
Product
Flowise (CSV Agent node)
CVSS
9.8
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-41264 is a prompt-injection remote code execution flaw in FlowiseAI Flowise, the drag-and-drop LLM application builder. Per NVD, the CSV Agent node evaluates LLM-generated Python without sandboxing. A CSV crafted to prompt-inject the underlying model can therefore produce Python that runs as the Flowise server process. All versions prior to 3.1.0 are affected.

Advisory context

Discovery is credited to Takahiro Yokoyama and coordinated through the Zero Day Initiative. Vendor advisory: GHSA-3hjv-c53m-58jj. NVD record published 2026-04-23. Rapid7 shipped a public Metasploit module targeting the flaw on 2026-07-10 — module path multi/http/flowise_auth_rce_cve_2026_41264, which uses an API key holding chatflows:create as its ingress. The underlying flaw does not require Flowise authentication to trigger; the module’s precondition is a scope choice, not a limitation of the vulnerability.

What to do

Upgrade Flowise to 3.1.0 or later. Inventory any API keys issued against a Flowise instance and their permission scopes — a key with chatflows:create on any pre-3.1.0 build is now a Metasploit target. If the instance is reachable without an API key, the exposure is wider than the module’s default path suggests.

Coverage context and the two-abstraction framing alongside the macOS PackageKit LPE shipped in the same wrap-up: Metasploit Weekly Adds Flowise CSV, macOS PackageKit. Canonical NVD record: CVE-2026-41264.