CVE-2026-41137

HighPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0030 53.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command…

injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the lack of sanitization in custom Pandas CSV read code by requiring input validation to block command injection payloads.

SI-2 Flaw Remediation good match

prevent

Ensures timely identification and remediation of the command injection flaw through patching to Flowise version 3.1.0.

CM-7 Least Functionality good match

prevent

Implements least functionality to prohibit or restrict the vulnerable custom code execution capability in the CSVAgent component.

Security SummaryAI

CVE-2026-41137 is a command injection vulnerability (CWE-94) affecting Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The flaw resides in the CSVAgent component prior to version 3.1.0, which permits users to supply custom Pandas CSV read code without adequate sanitization. This allows an attacker to craft a payload that gets interpolated and executed as a command on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low privileges.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables arbitrary command execution on the server, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), such as data exfiltration, modification, or denial of service.

The official Flowise security advisory (GHSA-9wc7-mj3f-74xv) details the issue and confirms it is remediated in version 3.1.0. Practitioners should prioritize upgrading affected Flowise deployments to this patched release to mitigate the risk.

Flowise's focus on LLM flow orchestration underscores security considerations for AI/ML tools, where unsanitized code execution in agent components can expose production infrastructure. No public evidence of real-world exploitation is available as of the CVE publication on 2026-04-23.

Details

CWE(s): CWE-94

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Data Processing Libraries
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: large language model

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Command injection vulnerability in public-facing web UI (Flowise) enables exploitation of public-facing application (T1190) leading to arbitrary remote command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0