CVE-2026-41264
Published: 23 April 2026
Summary
CVE-2026-41264 is a critical-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws like the unsandboxed Python script evaluation in Flowise's CSV_Agents class, as directly fixed by upgrading to version 3.1.0.
Mandates process isolation to sandbox execution of untrusted LLM-generated Python scripts, directly countering the lack of proper sandboxing.
Implements memory protections to restrict unauthorized code execution, preventing attacker-controlled Python scripts from running in the server context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote code execution via prompt injection in a public-facing Flowise server, exploiting the application (T1190) to execute arbitrary Python scripts (T1059.006).
NVD Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing…
more
when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the Flowise server. This vulnerability is fixed in 3.1.0.
Deeper analysisAI
CVE-2026-41264 is a code execution vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. The flaw resides in the run method of the CSV_Agents class in versions prior to 3.1.0, stemming from insufficient sandboxing when evaluating Python scripts generated by an LLM. This allows arbitrary code execution in the context of the user running the Flowise server.
An unauthenticated attacker who can send prompts to a chatflow utilizing the CSV Agent node can exploit this vulnerability through prompt injection techniques. By crafting a malicious prompt, the attacker can trick the LLM into generating and executing a Python script that runs attacker-controlled commands on the Flowise server, potentially leading to full compromise including high-impact confidentiality, integrity, and availability violations as indicated by the CVSS v3.1 score of 9.8.
The official GitHub security advisory for Flowise (GHSA-3hjv-c53m-58jj) confirms the issue and states that it is fully addressed in version 3.1.0, recommending immediate upgrades to mitigate the risk.
This vulnerability highlights risks in AI/ML workflows, particularly prompt injection leading to insecure code evaluation in LLM-based agents. No public evidence of real-world exploitation is available at the time of publication.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: large language model, llm, prompt injection, llm