External risk intelligence

Flowise allows attackers to run custom code, potentially stealing sensitive files or customer data.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-41137

A security flaw in Flowise allows an external attacker to take full control of the server, potentially exposing sensitive business data. This could lead to the theft of confidential information and the total compromise of your underlying infrastructure.

3Halo Surface Signal

Code Injection

Flowiseai Flowise

before 3.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-41137

Flowise is a web-based interface for building LLM workflows. It is deployed as a web application that may be hosted internally or exposed to the internet. While it functions as a web service, it is not inherently a public-facing edge gateway or identity portal, making widespread public internet exposure plausible in some environments but not guaranteed as a default deployment pattern.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Flowise allows an attacker to execute arbitrary commands by injecting malicious code into custom CSV read logic. If not updated, your Flowise instance could be compromised, potentially leading to significant data loss or system disruption.

  • Executes commands on the server.
  • Requires attacker to have existing access.
  • Impacts business logic and data integrity.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access to Flowise can exploit this by crafting a malicious CSV file. When the vulnerable CSVAgent processes this file, it will execute arbitrary commands on the server, allowing the attacker to take control of the system.

  • Requires authenticated access.
  • Targets the CSVAgent CSV processing.
  • Command injection via unsanitized input.

Live Threat

Current exploitation, exposure, and threat context

Attackers will likely find this vulnerability appealing due to its critical severity and the potential for remote code execution with low privileges. The ability to inject and execute arbitrary commands on the server opens significant avenues for compromising the application and any data it processes. Public exploit code is not yet observed, suggesting a potential window for proactive defense.

  • Command injection is a potent attack vector.
  • Exploitation requires low privileges.
  • No public exploit code observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize upgrading Flowise to version 3.1.0 or later to address the critical command injection vulnerability. If an immediate upgrade is not feasible, isolate or take affected services offline to prevent exploitation of unpatched systems.

  • Upgrade to Flowise 3.1.0+.
  • Isolate affected Flowise instances.
  • Monitor for suspicious command execution.

Frequently asked questions

What is Flowise and what is it used for?

Flowise is a tool that provides a drag-and-drop interface for users to build custom workflows for large language models. It allows for visual development of AI applications without extensive coding.

How does CVE-2026-41137 allow command injection in Flowise?

CVE-2026-41137 is a command injection vulnerability. In versions prior to 3.1.0, Flowise's CSVAgent did not properly sanitize custom Pandas CSV read code, allowing an attacker to insert and execute malicious commands on the server.

What are the preconditions for an attacker to exploit CVE-2026-41137?

An attacker needs to have authenticated access to the Flowise application. They would then craft a malicious CSV file with a command injection payload, which, when processed by the vulnerable CSVAgent, would execute arbitrary commands on the server.

Who should be concerned about this Flowise vulnerability?

Organizations using Flowise should be concerned, especially if their instances are accessible from the internet or host sensitive internal data. The Halo Surface Signal indicates a 'Possible' exposure risk, suggesting that while not guaranteed to be internet-facing by default, Flowise instances can potentially be exposed externally.

What is the recommended first step for running Flowise technology?

The immediate and most critical step is to upgrade Flowise to version 3.1.0 or a later release. This version contains the fix for the command injection vulnerability.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified