Cyber Posture

CVE-2026-41264

CriticalPublic PoC

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 52.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing…

more

when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of flaws like the unsandboxed Python script evaluation in Flowise's CSV_Agents class, as directly fixed by upgrading to version 3.1.0.

SC-39 Process Isolation good match
prevent

Mandates process isolation to sandbox execution of untrusted LLM-generated Python scripts, directly countering the lack of proper sandboxing.

SI-16 Memory Protection good match
prevent

Implements memory protections to restrict unauthorized code execution, preventing attacker-controlled Python scripts from running in the server context.

Security SummaryAI

CVE-2026-41264 is a code execution vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The flaw resides in the run method of the CSV_Agents class in versions prior to 3.1.0, stemming from insufficient sandboxing when evaluating Python scripts generated by an LLM. This allows arbitrary code execution in the context of the user running the Flowise server.

An unauthenticated attacker who can send prompts to a chatflow utilizing the CSV Agent node can exploit this vulnerability through prompt injection techniques. By crafting a malicious prompt, the attacker can trick the LLM into generating and executing a Python script that runs attacker-controlled commands on the Flowise server, potentially leading to full compromise including high-impact confidentiality, integrity, and availability violations as indicated by the CVSS v3.1 score of 9.8.

The official GitHub security advisory for Flowise (GHSA-3hjv-c53m-58jj) confirms the issue and states that it is fully addressed in version 3.1.0, recommending immediate upgrades to mitigate the risk.

This vulnerability highlights risks in AI/ML workflows, particularly prompt injection leading to insecure code evaluation in LLM-based agents. No public evidence of real-world exploitation is available at the time of publication.

Details

CWE(s)
CWE-184

Affected Products

flowiseai
flowise
≤ 3.1.0

AI Security AnalysisAI

AI Category
Other AI Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
MITRE ATLAS Techniques
None mapped
Classification Reason
Matched keywords: large language model, llm, prompt injection, llm

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote code execution via prompt injection in a public-facing Flowise server, exploiting the application (T1190) to execute arbitrary Python scripts (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References