PT-2026-34743 · Flowise · Flowise
Published
2026-04-18
·
Updated
2026-06-13
·
CVE-2026-41265
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.0
Description
An issue exists in the
run() method of the Airtable Agents class due to insufficient sandboxing when evaluating Python scripts generated by a Large Language Model (LLM). An unauthenticated attacker can use prompt injection techniques to convince the LLM to generate a malicious Python script. This script can bypass the validatePythonCodeForDataFrame() function and its FORBIDDEN PATTERNS list by using techniques such as aliasing modules during import (e.g., importing the os module as pandas).Successful exploitation allows the attacker to execute arbitrary OS commands on the server in the context of the user running the application. The flaw can be triggered via the following methods:
- Sending a crafted prompt to a chatflow using the Airtable Agent node via the
/api/v1/prediction/{chat id}endpoint. - An authenticated attacker specifying a malicious server in a chatflow that returns a malicious script instead of an LLM response.
- An authenticated attacker specifying an Airtable table containing prompt injections within its column names.
Recommendations
Update to version 3.1.0.
As a temporary workaround, restrict access to the Airtable Agent node or the
/api/v1/prediction/ endpoint to minimize the risk of exploitation.Exploit
Fix
RCE
Incomplete List of Disallowed Inputs
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Flowise