Cyber Resilience

CVE-2026-41265

CriticalPublic PoCRCE

Published: 23 April 2026

Published
23 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0046 36.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41265 is a critical-severity Command Injection (CWE-77) vulnerability in Flowiseai Flowise. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-41265 is a critical vulnerability in Flowise, an open-source drag-and-drop user interface for building customized large language model (LLM) flows. Affecting versions prior to 3.1.0, the flaw exists in the run method of the Airtable_Agents class due to insufficient sandboxing when evaluating Python scripts generated by an LLM. Classified as CWE-77 (command injection), it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its potential for severe impact.

An unauthenticated attacker who can send prompts to a chatflow using the Airtable Agent node can exploit this issue via prompt injection techniques. By crafting malicious prompts, the attacker tricks the LLM into producing a Python script that executes arbitrary attacker-controlled commands directly on the Flowise server, enabling full remote code execution with high confidentiality, integrity, and availability impacts.

The vulnerability is fixed in Flowise version 3.1.0. According to the GitHub Security Advisory (GHSA-v38x-c887-992f), users should upgrade to the patched version to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing…

more

when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: flowise, large language model, llm, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Unauthenticated RCE via public-facing web application exploitation (T1190) through prompt injection leading to arbitrary Python script execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-34267Same product: Flowiseai Flowise
CVE-2026-41264Same product: Flowiseai Flowise
CVE-2026-41138Same product: Flowiseai Flowise
CVE-2025-8943Same product: Flowiseai Flowise
CVE-2026-41272Same product: Flowiseai Flowise
CVE-2026-41277Same product: Flowiseai Flowise
CVE-2026-41274Same product: Flowiseai Flowise
CVE-2026-41270Same product: Flowiseai Flowise
CVE-2026-30824Same product: Flowiseai Flowise
CVE-2026-31829Same product: Flowiseai Flowise

Affected Assets

flowiseai
flowise
≤ 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Process isolation enforces sandboxing around the execution of LLM-generated Python scripts in the Airtable_Agents run method, preventing arbitrary command execution from impacting the host system.

prevent

Mobile code controls mandate confinement, validation, authentication, and sanitization of untrusted executable content like LLM-generated Python scripts prior to execution.

prevent

Information input validation checks the LLM-generated Python script for malicious content or invalid constructs before evaluation, mitigating prompt injection leading to command injection.

References