Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Published: 2026-04-23
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the CSVAgent’s ability to execute custom Pandas CSV read code without sanitization. This allows an authenticated user to inject a command that is interpolated and executed by the server. As a result, the attacker can run arbitrary shell commands, compromising the confidentiality, integrity, and availability of the host. The weakness is a classic code injection flaw (CWE‑94).

Affected Systems

The flaw affects FlowiseAI’s Flowise front‑end and the flowise‑components set, specifically all releases prior to version 3.1.0. Any instance of these products that has not yet applied the 3.1.0 update is vulnerable.

Risk and Exploitability

With a CVSS score of 9.4 the vulnerability is considered critical. The EPSS score of less than 1% indicates that the likelihood of exploitation observed so far is low, yet the weakness remains serious due to the potential for full system compromise. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. The attack requires an authenticated session that can submit CSVAgent payloads; no public unauthenticated vector is described. Practically, a user with write access to flows can place malicious code in a CSV read routine and trigger execution on the server.

Generated by OpenCVE AI on April 28, 2026 at 07:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flowise and flowise‑components to version 3.1.0 or later.
  • Limit or deny permissions for users to use the CSVAgent custom code feature until a patch is applied.
  • Implement monitoring of system command execution and enforce strict access controls to prevent unauthorized code injection.

Generated by OpenCVE AI on April 28, 2026 at 07:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9wc7-mj3f-74xv Flowise: Code Injection in CSVAgent leads to Authenticated RCE
History

Mon, 27 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai flowise-components
Vendors & Products Flowiseai flowise-components

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide a command injection payload that will get interpolated and executed by the server. This vulnerability is fixed in 3.1.0.
Title Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Flowiseai Flowise Flowise-components
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T20:20:30.780Z

Reserved: 2026-04-17T12:59:15.738Z

Link: CVE-2026-41137

cve-icon Vulnrichment

Updated: 2026-04-23T20:20:26.372Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T20:16:14.257

Modified: 2026-04-24T15:15:47.703

Link: CVE-2026-41137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses