Code Execution Vulnerability in Flowise Product by FlowiseAI
CVE-2026-41264

9.2CRITICAL

Key Information:

Vendor: Flowiseai
Status: Flowise
Vendor: CVE Published:; 23 April 2026

What is CVE-2026-41264?

Flowise, a drag-and-drop interface for building customized large language model flows, is susceptible to a code execution vulnerability found in the run method of the CSV_Agents class prior to version 3.1.0. This flaw arises from inadequate sandboxing when evaluating Python scripts generated by LLM. An unauthenticated attacker can exploit this by sending prompts to a chatflow that utilize the CSV Agent node, potentially executing malicious Python scripts on the Flowise server. The vulnerability is addressed in version 3.1.0, making it crucial for users to update to the latest version.

Affected Version(s)

Flowise < 3.1.0

References

https://github.com/FlowiseAI/Flowise/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2026
Vulnerability Reserved
Apr 18, 2026

CVE-2026-41264 Data

JSON

Flowiseai

What is CVE-2026-41264?

Affected Version(s)

References

CVSS V4

Timeline