Cyber Resilience

CVE-2026-41137

CriticalPublic PoCRCE

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 9.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0145 70.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41137 is a critical-severity Code Injection (CWE-94) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41137 is a command injection vulnerability (CWE-94) affecting Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The flaw resides in the CSVAgent component prior to version 3.1.0, which permits users to supply custom Pandas CSV read code without adequate sanitization. This allows an attacker to craft a payload that gets interpolated and executed as a command on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low privileges.

An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables arbitrary command execution on the server, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), such as data exfiltration, modification, or denial of service.

The official Flowise security advisory (GHSA-9wc7-mj3f-74xv) details the issue and confirms it is remediated in version 3.1.0. Practitioners should prioritize upgrading affected Flowise deployments to this patched release to mitigate the risk.

Flowise's focus on LLM flow orchestration underscores security considerations for AI/ML tools, where unsanitized code execution in agent components can expose production infrastructure. No public evidence of real-world exploitation is available as of the CVE publication on 2026-04-23.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command…

more

injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model, pandas

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability in public-facing web UI (Flowise) enables exploitation of public-facing application (T1190) leading to arbitrary remote command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59528Same product: Flowiseai Flowise
CVE-2026-41138Same product: Flowiseai Flowise
CVE-2025-34267Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise
CVE-2026-30824Same product: Flowiseai Flowise
CVE-2026-31829Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of sanitization in custom Pandas CSV read code by requiring input validation to block command injection payloads.

prevent

Ensures timely identification and remediation of the command injection flaw through patching to Flowise version 3.1.0.

prevent

Implements least functionality to prohibit or restrict the vulnerable custom code execution capability in the CSVAgent component.

References