External risk intelligence

Flowise accepts malicious commands over the internet, allowing attackers to control your server.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-41265

Flowise can be tricked into running harmful commands on your server through a flaw in how it handles AI-generated code, potentially allowing unauthorized access.

4Halo Surface Signal

Flowiseai Flowise

before 3.1.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-41265

Flowise is a web-based platform used to build and serve LLM chat interfaces. These chatflows are frequently deployed as internet-facing web applications or API endpoints to enable user interaction, making them reachable by external parties in common real-world use cases.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Flowise allows an unauthenticated attacker to run malicious commands on the server. The issue stems from Flowise not properly isolating code generated by a language model, which can be tricked into executing harmful instructions. This is a significant concern because it could lead to a complete compromise of the server hosting the Flowise application.

  • Attackers can remotely execute code.
  • Impacts servers running vulnerable Flowise versions.
  • Enables unauthorized server control.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending a specially crafted prompt to a Flowise instance running an Airtable Agent node. This prompt manipulates the LLM into generating malicious Python code that the server then executes, allowing the attacker to run commands on the server.

  • Target chatflow with Airtable Agent.
  • Prompt injection for code execution.
  • Unauthenticated access required.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Flowise allows unauthenticated attackers to execute arbitrary commands on the server by crafting malicious prompts that trick the LLM into generating and running a harmful Python script. While prompt injection can be complex, the direct execution of code on the server makes this a highly desirable target for attackers.

  • Unauthenticated remote code execution is attractive.
  • Prompt injection requires careful crafting.
  • Critical flaw in LLM script evaluation.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Flowise to version 3.1.0 or later to address the critical Python script execution vulnerability. If immediate patching is not feasible, isolate affected instances of Flowise from external network access and implement strict network segmentation to prevent potential command execution on the server.

  • Apply Flowise version 3.1.0 or newer.
  • Isolate affected Flowise instances.
  • Monitor for suspicious outbound network activity.

Frequently asked questions

What is Flowise and what is it used for?

Flowise is a visual tool that helps you build custom large language model (LLM) applications by allowing you to drag and drop components. It's used for creating conversational AI flows and integrating LLMs into various applications.

How does CVE-2026-41265 break Flowise?

CVE-2026-41265 is a vulnerability categorized as CWE-77 (Improper Neutralization of Special Elements used in an OS Command), often referred to as command injection. It happens because Flowise doesn't properly secure code generated by an LLM, allowing attackers to inject malicious Python scripts that can run commands on the server.

What actions must an attacker take to exploit this Flowise vulnerability?

An attacker needs to be able to send prompts to a Flowise chatflow that uses the Airtable Agent node. They would then use prompt injection techniques to make the LLM generate a malicious Python script, which Flowise then executes on the server. It is not triggered if the Airtable Agent node is not in use.

Who should be concerned about this Flowise vulnerability?

Organizations using Flowise, especially those with instances that are internet-facing, should be concerned. The Halo Surface Signal indicates this is likely a concern due to the common deployment of Flowise as a web application or API endpoint accessible from the internet.

What is the first step to address this Flowise security threat?

The most important first step is to update Flowise to version 3.1.0 or a later version. This version includes the fix for the vulnerability that allows attackers to execute commands on your server.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified