CVE-2026-41265
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.
| CWE | CWE-77 |
| Vendor | flowiseai |
| Product | flowise |
| Published | Apr 23, 2026 |
| Last Updated | Apr 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for flowiseai flowise
Be the first to know when new unknown vulnerabilities affecting flowiseai flowise are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
FlowiseAI / Flowise
< 3.1.0