Published Friday, July 10, 2026 at 07:25 PM PT

<strong>FLOWISE CSV AGENT PROMPT INJECTION RCE (CVE-2026-41264) โ€” REMOTE CODE EXECUTION IN OPEN-SOURCE AI TOOL</strong>

BLUF: Critical remote code execution vulnerability discovered in Flowise, an open-source visual AI application builder. Attackers can inject malicious prompts via CSV Agent functionality to achieve unauthenticated code execution. Organizations deploying Flowise should immediately assess exposure and apply patches when available.


DETAILS:

  • Vulnerability: Prompt injection flaw in Flowise CSV Agent component allows remote code execution without authentication (CVE-2026-41264)
  • Affected Software: Flowise โ€” open-source drag-and-drop platform for building AI applications and chatbots
  • Attack Vector: CSV Agent accepts unsanitized user input that can be weaponized to break out of intended prompt context and execute arbitrary commands
  • Discoverers: Takahiro Yokoyama and ZDI Disclosures
  • Metasploit Module: multi/http/flowise_auth_rce_cve_2026_41264 now available for testing/validation

IMPACT:

  • Scope: Any organization or individual running Flowise instances, particularly those exposed to untrusted networks or internet-facing deployments
  • Severity: Critical โ€” unauthenticated RCE with no user interaction required beyond CSV submission
  • Risk: Complete system compromise, data exfiltration, lateral movement, supply chain risk if Flowise is embedded in third-party applications

RECOMMENDED ACTIONS:

  1. Immediate: Identify all Flowise deployments in your environment; prioritize internet-facing instances for isolation
  2. Assess: Determine if CSV Agent functionality is enabled and whether untrusted users can submit CSV files
  3. Monitor: Check logs for suspicious CSV uploads or unusual process execution tied to Flowise services
  4. Patch: Apply vendor updates when released; consider disabling CSV Agent until patched
  5. Segment: Restrict Flowise network access to trusted sources only

SOURCES:

  • Rapid7 Metasploit disclosure
  • ZDI Disclosures (Takahiro Yokoyama)
  • CVE-2026-41264

Note: Full patch availability and timeline uncertain at publication. Vendor guidance pending.