CVE-2026-41264: CWE-184: Incomplete List of Disallowed Inputs in FlowiseAI Flowise
FlowiseAI Flowise versions prior to 3. 1. 0 contain a critical vulnerability (CVE-2026-41264) in the CSV_Agents class run method. The flaw arises from insufficient sandboxing when evaluating Python scripts generated by the large language model (LLM). An unauthenticated attacker able to send prompts to a chatflow using the CSV Agent node can exploit this by injecting malicious Python code, which executes with the privileges of the user running the Flowise server. This vulnerability allows remote code execution via crafted prompt injection. The issue is fixed in version 3. 1. 0.
AI Analysis
Technical Summary
CVE-2026-41264 is a critical remote code execution vulnerability in FlowiseAI Flowise prior to version 3.1.0. It stems from incomplete input filtering and lack of proper sandboxing in the run method of the CSV_Agents class. Attackers can leverage prompt injection to cause the LLM to generate and execute malicious Python scripts on the server, running with the server user's privileges. This vulnerability is classified under CWE-184 (Incomplete List of Disallowed Inputs). The flaw is resolved in Flowise version 3.1.0.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary Python code on the Flowise server with the privileges of the user running the service. This can lead to full compromise of the server environment, data theft, or further lateral movement. The CVSS 4.0 base score is 9.2 (critical), reflecting the high severity and network attack vector with no privileges required.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed. Since no official patch or temporary fix is indicated beyond the version upgrade, applying this update is the recommended remediation. There is no indication that the vulnerability is mitigated in any other way. Users should avoid running vulnerable versions in production environments until patched.
CVE-2026-41264: CWE-184: Incomplete List of Disallowed Inputs in FlowiseAI Flowise
Description
FlowiseAI Flowise versions prior to 3. 1. 0 contain a critical vulnerability (CVE-2026-41264) in the CSV_Agents class run method. The flaw arises from insufficient sandboxing when evaluating Python scripts generated by the large language model (LLM). An unauthenticated attacker able to send prompts to a chatflow using the CSV Agent node can exploit this by injecting malicious Python code, which executes with the privileges of the user running the Flowise server. This vulnerability allows remote code execution via crafted prompt injection. The issue is fixed in version 3. 1. 0.
CVSS v4.0
Score 9.2critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41264 is a critical remote code execution vulnerability in FlowiseAI Flowise prior to version 3.1.0. It stems from incomplete input filtering and lack of proper sandboxing in the run method of the CSV_Agents class. Attackers can leverage prompt injection to cause the LLM to generate and execute malicious Python scripts on the server, running with the server user's privileges. This vulnerability is classified under CWE-184 (Incomplete List of Disallowed Inputs). The flaw is resolved in Flowise version 3.1.0.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to execute arbitrary Python code on the Flowise server with the privileges of the user running the service. This can lead to full compromise of the server environment, data theft, or further lateral movement. The CVSS 4.0 base score is 9.2 (critical), reflecting the high severity and network attack vector with no privileges required.
Mitigation Recommendations
Upgrade Flowise to version 3.1.0 or later, where this vulnerability is fixed. Since no official patch or temporary fix is indicated beyond the version upgrade, applying this update is the recommended remediation. There is no indication that the vulnerability is mitigated in any other way. Users should avoid running vulnerable versions in production environments until patched.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-18T14:01:46.801Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ea9e7887115cfb686fc345
Added to database: 4/23/2026, 10:34:32 PM
Last enriched: 5/1/2026, 8:49:19 PM
Last updated: 6/7/2026, 8:04:35 AM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.