CVE-2026-41265
Published: 23 April 2026
Summary
CVE-2026-41265 is a critical-severity Command Injection (CWE-77) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 50.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Process isolation enforces sandboxing around the execution of LLM-generated Python scripts in the Airtable_Agents run method, preventing arbitrary command execution from impacting the host system.
Mobile code controls mandate confinement, validation, authentication, and sanitization of untrusted executable content like LLM-generated Python scripts prior to execution.
Information input validation checks the LLM-generated Python script for malicious content or invalid constructs before evaluation, mitigating prompt injection leading to command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via public-facing web application exploitation (T1190) through prompt injection leading to arbitrary Python script execution (T1059.006).
NVD Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing…
more
when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.
Deeper analysisAI
CVE-2026-41265 is a critical vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Affecting versions prior to 3.1.0, the flaw exists in the run method of the Airtable_Agents class due to insufficient sandboxing when evaluating Python scripts generated by an LLM. Classified as CWE-77 (command injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its potential for severe impact.
An unauthenticated attacker who can send prompts to a chatflow using the Airtable Agent node can exploit this issue via prompt injection techniques. By crafting malicious prompts, the attacker tricks the LLM into producing a Python script that executes arbitrary attacker-controlled commands directly on the Flowise server, enabling full remote code execution with high confidentiality, integrity, and availability impacts.
The vulnerability is fixed in Flowise version 3.1.0. According to the GitHub Security Advisory (GHSA-v38x-c887-992f), users should upgrade to the patched version to mitigate the risk.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: large language model, llm, prompt injection, llm