Flowise — CSV Agent Prompt Injection RCE and Cluster of New CVEs (CVE-2026-41264)
AI relevance: Flowise is a widely-used low-code AI agent builder; its CSV Agent node executes LLM-generated Python code in a pyodide sandbox without proper prompt injection guards, enabling unauthenticated remote attackers to achieve server-side code execution through crafted chatflow queries.
Trend Micro's Zero Day Initiative (ZDI) has disclosed CVE-2026-41264, an unauthenticated remote code execution vulnerability in Flowise's CSV Agent node, disclosed April 21, 2026. This is part of a broader cluster of CVEs affecting Flowise prior to version 3.1.0, covering command injection, file upload, and data exposure.
CVE-2026-41264 — CSV Agent Prompt Injection RCE
Flowise's CSV Agent node processes queries by generating a system prompt from CSV column metadata, passing it to an LLM, and then executing the LLM's Python response in a pyodide sandbox. The vulnerability stems from insufficient sandboxing: an attacker can craft a query that convinces the LLM to generate malicious Python code, which then runs with access to the server's filesystem. No authentication is required — any user who can reach the chatflow API endpoint can exploit this.
Additional Flowise CVEs (pre-3.1.0)
Alongside the ZDI finding, several related CVEs were disclosed covering different attack vectors:
- CVE-2026-41137 — CSV Agent command injection via unsanitized custom Pandas read code, allowing direct command injection payloads interpolated and executed server-side.
- CVE-2026-41138 — AirtableAgent RCE due to missing input validation when using Pandas for data processing.
- CVE-2026-41268 — FILE-STORAGE parameter override bypass combined with
NODE_OPTIONSenvironment variable injection for RCE. - CVE-2026-41269 — Unrestricted file upload allowing persistent storage of Node.js web shells on the server.
- CVE-2026-41266 — Sensitive data exposure via
/api/v1/public-chatbotConfig/:id, leaking API keys, HTTP authorization headers, and internal configuration without authentication. - CVE-2026-41270 — Improper access control enabling unauthorized access to chatflow configuration and execution.
These are distinct from the previously reported Flowise CVE-2025-59528 (default credential RCE) and the OX Security MCP adapter findings — representing a fresh wave of vulnerabilities identified by ZDI and other researchers.
Why it matters
- Flowise has 150M+ downloads and 7,000+ publicly accessible instances — the CSV Agent is a commonly used node for data analysis workflows.
- The prompt injection RCE (CVE-2026-41264) demonstrates a unique attack class: using the LLM itself as a code-generation weapon against its own execution sandbox.
- The information disclosure (CVE-2026-41266) means API keys for connected LLM providers, vector databases, and external services are exposed to any unauthenticated requester.
- The web shell upload (CVE-2026-41269) provides persistent access even after other vulnerabilities are patched.
What to do
- Upgrade Flowise to version 3.1.0 or later, which addresses all listed CVEs.
- Restrict network access to the Flowise server (port 3000/TCP) — do not expose it directly to the internet.
- Rotate all API keys and credentials stored in Flowise chatflow configurations, especially if the instance was previously internet-accessible.
- Audit deployed Flowise instances for suspicious file uploads or unexpected chatflow configurations.