CVE-2026-41265

CriticalPublic PoC

Published: 23 April 2026

Published

23 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing…

when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

Mitigating Controls (NIST 800-53 r5)AI

SC-39 Process Isolation good match

prevent

Process isolation enforces sandboxing around the execution of LLM-generated Python scripts in the Airtable_Agents run method, preventing arbitrary command execution from impacting the host system.

SC-18 Mobile Code good match

prevent

Mobile code controls mandate confinement, validation, authentication, and sanitization of untrusted executable content like LLM-generated Python scripts prior to execution.

SI-10 Information Input Validation partial match

prevent

Information input validation checks the LLM-generated Python script for malicious content or invalid constructs before evaluation, mitigating prompt injection leading to command injection.

Security SummaryAI

CVE-2026-41265 is a critical vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Affecting versions prior to 3.1.0, the flaw exists in the run method of the Airtable_Agents class due to insufficient sandboxing when evaluating Python scripts generated by an LLM. Classified as CWE-77 (command injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its potential for severe impact.

An unauthenticated attacker who can send prompts to a chatflow using the Airtable Agent node can exploit this issue via prompt injection techniques. By crafting malicious prompts, the attacker tricks the LLM into producing a Python script that executes arbitrary attacker-controlled commands directly on the Flowise server, enabling full remote code execution with high confidentiality, integrity, and availability impacts.

The vulnerability is fixed in Flowise version 3.1.0. According to the GitHub Security Advisory (GHSA-v38x-c887-992f), users should upgrade to the patched version to mitigate the risk.

Details

CWE(s): CWE-77

Affected Products

flowiseai

flowise

≤ 3.1.0

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: large language model, llm, prompt injection, llm

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated RCE via public-facing web application exploitation (T1190) through prompt injection leading to arbitrary Python script execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0