CVE-2026-41137
Published: 23 April 2026
Summary
CVE-2026-41137 is a high-severity Code Injection (CWE-94) vulnerability in Flowiseai Flowise. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Data Processing Libraries.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of sanitization in custom Pandas CSV read code by requiring input validation to block command injection payloads.
Ensures timely identification and remediation of the command injection flaw through patching to Flowise version 3.1.0.
Implements least functionality to prohibit or restrict the vulnerable custom code execution capability in the CSVAgent component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in public-facing web UI (Flowise) enables exploitation of public-facing application (T1190) leading to arbitrary remote command execution (T1059).
NVD Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command…
more
injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Deeper analysisAI
CVE-2026-41137 is a command injection vulnerability (CWE-94) affecting Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The flaw resides in the CSVAgent component prior to version 3.1.0, which permits users to supply custom Pandas CSV read code without adequate sanitization. This allows an attacker to craft a payload that gets interpolated and executed as a command on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for remote exploitation with low privileges.
An authenticated attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation enables arbitrary command execution on the server, granting high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), such as data exfiltration, modification, or denial of service.
The official Flowise security advisory (GHSA-9wc7-mj3f-74xv) details the issue and confirms it is remediated in version 3.1.0. Practitioners should prioritize upgrading affected Flowise deployments to this patched release to mitigate the risk.
Flowise's focus on LLM flow orchestration underscores security considerations for AI/ML tools, where unsanitized code execution in agent components can expose production infrastructure. No public evidence of real-world exploitation is available as of the CVE publication on 2026-04-23.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: large language model