External risk intelligence

Flowise systems can be taken over by attackers through malicious prompts.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-41264

An unauthenticated attacker can control Flowise systems by tricking the AI into running malicious code through chat prompts, potentially compromising server functions and sensitive data. This critical flaw is fixed in version 3.1.0.

4Halo Surface Signal

Flowiseai Flowise

before 3.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-41264

Flowise is a platform for building chat-based LLM applications. These chatflows are frequently deployed as internet-facing web services to allow users to interact with the LLM, making the underlying application interface and its agents commonly reachable from the public internet.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Flowise allows an unauthenticated attacker to execute arbitrary code on the server. It occurs when an LLM-generated Python script is evaluated without proper sandboxing, meaning malicious code injected through a chatflow can run with server privileges. This is a serious risk because it can compromise the entire Flowise instance.

  • Unauthenticated attackers can gain control.
  • Sensitive data or server functions may be compromised.
  • The issue is present in versions before 3.1.0.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by crafting a malicious prompt that tricks the LLM into generating and executing harmful Python code. This code would run on the Flowise server, allowing the attacker to control the compromised system.

  • Requires unauthenticated prompt access.
  • Targets LLM-generated Python script evaluation.
  • Prompt injection convinces LLM to execute code.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to its ability to allow unauthenticated code execution on a server through prompt injection, bypassing normal security controls. While the direct impact is server-side code execution, the ultimate goal would be to leverage that access for broader network compromise or data exfiltration. The method requires crafting specific prompts to an LLM, which can be challenging but is a known technique for exploiting AI systems.

  • Exploitation may require sophisticated prompt engineering.
  • Public exploit code is not immediately apparent.
  • The vulnerability impacts a tool for building AI applications.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline services using Flowise versions prior to 3.1.0, especially if they process untrusted input via the CSV Agent node. Review logs for signs of suspicious Python script execution or unauthorized command activity. The critical nature and remote unauthenticated exploitability of this vulnerability demand immediate containment.

  • Upgrade Flowise to version 3.1.0 or later.
  • Block network access to vulnerable Flowise instances.
  • Monitor for unusual process execution on affected servers.

Frequently asked questions

What is the specific vulnerability in Flowise, and which versions are affected?

The vulnerability exists within the run method of the CSV_Agents class in Flowise. Prior to version 3.1.0, Flowise fails to properly sandbox LLM-generated Python scripts, allowing for code execution.

How can an attacker exploit this Flowise vulnerability?

An unauthenticated attacker can exploit this flaw by using prompt injection techniques. They can trick the LLM into generating a malicious Python script that executes attacker-controlled commands on the Flowise server, gaining access to the user's context.

What is the weakness class associated with CVE-2026-41264 in Flowise?

The weakness class identified for CVE-2026-41264 in Flowise is CWE-184, which relates to incorrect sandboxing when evaluating LLM-generated Python scripts.

What is the relevance of this Flowise vulnerability to external systems?

The CVSS v4.0 analysis indicates the Attack Vector is Network (AV:N), classifying this CVE as external. Flowise applications are often deployed as internet-facing services, making their agents commonly reachable from the public internet.

What are the recommended actions to mitigate the Flowise CSV Agent vulnerability?

The recommended action is to upgrade Flowise to version 3.1.0 or later. If immediate upgrading is not possible, consider isolating or taking offline services using vulnerable Flowise versions, especially those processing untrusted input via the CSV Agent node, and monitor for suspicious activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified