Flowise CVE-2026-41264: Unauthenticated CSV Agent Prompt Injection RCE via LLM Script Evaluation
Date: 2026-04-23
Tags: malicious-tool, supply-chain
Executive Summary
Trend Micro's Zero Day Initiative has identified a vulnerability affecting FlowiseAI Flowise. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM-generated Python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | Flowise CSV Agent Prompt Injection Campaign (CVE-2026-41264) |
| Attribution | Unknown; vulnerability disclosed by Trend Micro ZDI (confidence: low) |
| Target | Organizations deploying Flowise <v3.0.13; developers using CSV Agent node in chatflows |
| Vector | Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. |
| Status | active |
| First Observed | 2026-04-21 |
Detailed Findings
FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the CSV Agent node may convince an LLM to respond with a malicious Python script that executes attacker-controlled commands on the Flowise server. It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker-controlled server in a chatflow. This server would respond to prompts with an attacker-controlled Python script instead of an LLM-generated response, which would then be evaluated on the server.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Prompt Injection | T1060 | Attacker-controlled prompt causes LLM to generate malicious Python code |
| Code Execution via LLM | T1059.006 | LLM-generated Python scripts evaluated without sandboxing |
| Exploitation of Insufficient Sandboxing | T1562.001 | Lack of proper sandboxing in CSV Agent's script evaluation |
IOCs
Domains
_No specific IOCs; vulnerability is application-level in Flowise CSV Agent node_
Full URL Paths
_No specific IOCs; vulnerability is application-level in Flowise CSV Agent node_
Splunk Format
_No IOCs available for Splunk query_
Package Indicators
flowise@<3.0.13Detection Recommendations
Monitor Flowise logs for unusual prompt submissions to CSV Agent nodes; audit Python code execution patterns within Flowise (look for subprocess calls, file I/O, or network operations triggered from CSV Agent); implement network segmentation to restrict egress from Flowise server; deploy WAF rules to detect prompt injection patterns in chatflow submissions; monitor /api/v1/prediction endpoints for anomalous CSV Agent requests; implement strict output validation and sandboxing for all LLM-generated code evaluation. Immediate upgrade to Flowise v3.0.13 or later is mandatory.
References
- [GitLab Advisories] CVE-2026-41264: Flowise CSV Agent Prompt Injection Remote Code Execution Vulnerability (2026-04-21) — https://advisories.gitlab.com/npm/flowise-components/CVE-2026-41264/
- [Trend Micro Zero Day Initiative] Flowise CSV Agent Prompt Injection RCE (CVE-2026-41264) (2026-04-21) — https://advisories.gitlab.com/npm/flowise-components/CVE-2026-41264/