Description
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.
Published: 2026-04-23
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from improper sandboxing of dynamically generated Python code within the Airtable_Agents component of Flowise. An attacker can craft a prompt that tricks an LLM into producing a malicious script, which the application then executes on the host machine. If successful, the attacker gains the privileges of the Flowise process, allowing full system compromise.

Affected Systems

FlowiseAI’s Flowise platform, versions prior to 3.1.0, that expose the Airtable Agent node. The flaw is present in the run method of the Airtable_Agents class.

Risk and Exploitability

The CVSS score of 9.2 reflects a high severity remote code execution risk. The EPSS score is reported as less than 1%, indicating a low but non‑zero probability of exploitation in the wild at the time of this analysis, and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires only the ability to send a prompt to an Airtable Agent enabled chatflow and no additional authentication, the threat vector remains remote and unauthenticated, making the vulnerability attractive to adversaries that can interact with the exposed interface.

Generated by OpenCVE AI on April 28, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Flowise 3.1.0 or later, which contains the patch for the Airtable_Agents code injection fix.
  • If an upgrade is not immediately feasible, restrict or disable the Airtable Agent node in all chatflows to prevent untrusted prompt execution.
  • Monitor application logs for unusually large or suspicious Python code submissions and enforce strict input validation on prompt inputs.

Generated by OpenCVE AI on April 28, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v38x-c887-992f Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
History

Fri, 24 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Flowiseai
Flowiseai flowise
CPEs cpe:2.3:a:flowiseai:flowise:*:*:*:*:*:*:*:*
Vendors & Products Flowiseai
Flowiseai flowise
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 23 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Description Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.
Title Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Flowiseai Flowise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T20:17:01.218Z

Reserved: 2026-04-18T14:01:46.801Z

Link: CVE-2026-41265

cve-icon Vulnrichment

Updated: 2026-04-23T20:16:50.491Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T20:16:14.890

Modified: 2026-04-24T15:15:09.260

Link: CVE-2026-41265

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:45:16Z

Weaknesses