CVE-2026-41265 (GCVE-0-2026-41265)

Vulnerability from cvelistv5 – Published: 2026-04-23 19:58 – Updated: 2026-04-23 20:17

Title

Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Summary

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0.

Severity ?

9.2 (Critical)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	FlowiseAI	Flowise	Affected: < 3.1.0

FKIE_CVE-2026-41265

Vulnerability from fkie_nvd - Published: 2026-04-23 20:16 - Updated: 2026-04-23 21:16

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Flowise is a drag \u0026 drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server. This vulnerability is fixed in 3.1.0."
    }
  ],
  "id": "CVE-2026-41265",
  "lastModified": "2026-04-23T21:16:06.023",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "HIGH",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.2,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-23T20:16:14.890",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-V38X-C887-992F

Vulnerability from github – Published: 2026-04-18 00:46 – Updated: 2026-04-18 00:46

Summary

Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability

Details

ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability

-- ABSTRACT -------------------------------------

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products: Flowise - Flowise

-- VULNERABILITY DETAILS ------------------------ * Version tested: 3.0.13 * Installer file: hxxps://github.com/FlowiseAI/Flowise * Platform tested: Ubuntu 25.10

Analysis

FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.

Product information

FlowiseAI Flowise version 3.0.13 (https://github.com/FlowiseAI/Flowise)

Setup Instructions

npm install -g flowise@3.0.13 npx flowise start

Root Cause Analysis

FlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.

One such feature of Flowise is the ability to create chatflows. Chatflows use a drag and drop editor that allow a developer to place nodes which control how an interaction with a LLM will occur. One such node is the Airtable Agent node that represents an Agent used to answer queries on a provided Airtable table.

When a user makes a query against a chatflow using the Airtable Agent node, the run method of the Airtable_Agents class will be called. This method will first request the contents of the Airtable table passed to the node and convert it to a base64 string. It will then set up a pyodide environment and create a python script to be executed in this environment. This python script will use pandas to extract the column names and their types from the Airtable table. The method will then create a system prompt for an LLM using this data as follows:

You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:

Where {dict} is the extracted column names and {question} is the initial prompt provided by the user.

This system prompt will be sent to an LLM in order for it to generate a python script based on the user's prompt, and the LLM generated response will be stored in a variable name pythonCode. The method will then evaluate the pythonCode variable in a pyodide environment.

While the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked for before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list, named FORBIDDEN_PATTERNS, which contains pairs of regex pattern and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.

The input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern /\bimport\s+(?!pandas|numpy\b)/g, which intends to search for lines of code which import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:

import pandas as np, os as pandas
pandas.system("xcalc")

pandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with pandas.system().

Using prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server.

An attacker can use this vulnerability to execute arbitrary python code, which can lead to arbitrary system commands being executed on the target server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled server in a chatflow. This server would respond to prompts with an attacker controlled python script instead of an LLM generated response, which would then be evaluated on the server.

It is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled Airtable table in a chatflow. This airtable table would contain columns whose name contain prompt injections, that are later passed to an LLM to use when generating a python script.

comments documenting the issue have been added to the following code snippet. Added comments are prepended with "!!!".

From packages/components/nodes/agents/AirtableAgent/core.ts

import type { PyodideInterface } from 'pyodide'
import * as path from 'path'
import { getUserHome } from '../../../src/utils'

let pyodideInstance: PyodideInterface | undefined

export async function LoadPyodide(): Promise<PyodideInterface> {
    if (pyodideInstance === undefined) {
        const { loadPyodide } = await import('pyodide')
        const obj: any = { packageCacheDir: path.join(getUserHome(), '.flowise', 'pyodideCacheDir') }
        pyodideInstance = await loadPyodide(obj)
        await pyodideInstance.loadPackage(['pandas', 'numpy'])
    }

    return pyodideInstance
}

export const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.

The columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.
{dict}

I will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.

Security: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.

Question: {question}
Output Code:`

export const finalSystemPrompt = `You are given the question: {question}. You have an answer to the question: {answer}. Rephrase the answer into a standalone answer.
Standalone Answer:`

From packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts

import axios from 'axios'
import { BaseLanguageModel } from '@langchain/core/language_models/base'
import { AgentExecutor } from 'langchain/agents'
import { LLMChain } from 'langchain/chains'
import { ICommonObject, INode, INodeData, INodeParams, IServerSideEventStreamer, PromptTemplate } from '../../../src/Interface'
import { getBaseClasses, getCredentialData, getCredentialParam } from '../../../src/utils'
import { ConsoleCallbackHandler, CustomChainHandler, additionalCallbacks } from '../../../src/handler'
import { LoadPyodide, finalSystemPrompt, systemPrompt } from './core'
import { validatePythonCodeForDataFrame } from '../../../src/pythonCodeValidator'
import { checkInputs, Moderation } from '../../moderation/Moderation'
import { formatResponse } from '../../outputparsers/OutputParserHelpers'

class Airtable_Agents implements INode {
    label: string
    name: string
    version: number
    description: string
    type: string
    icon: string
    category: string
    baseClasses: string[]
    credential: INodeParams
    inputs: INodeParams[]

    // !!! [... Truncated for Readability ...]

    // !!! input variable holds prompt from user
    async run(nodeData: INodeData, input: string, options: ICommonObject): Promise<string | object> {
        const model = nodeData.inputs?.model as BaseLanguageModel
        const baseId = nodeData.inputs?.baseId as string
        const tableId = nodeData.inputs?.tableId as string
        const returnAll = nodeData.inputs?.returnAll as boolean
        const limit = nodeData.inputs?.limit as string
        const moderations = nodeData.inputs?.inputModeration as Moderation[]

        // !!! the chatflow may contain moderation nodes that search for prompt injections, but these may not protect from every type of injection
        if (moderations && moderations.length > 0) {
            try {
                // Use the output of the moderation chain as input for the Vectara chain
                input = await checkInputs(moderations, input)
            } catch (e) {
                await new Promise((resolve) => setTimeout(resolve, 500))
                // if (options.shouldStreamResponse) {
                //     streamResponse(options.sseStreamer, options.chatId, e.message)
                // }
                return formatResponse(e.message)
            }
        }

        const shouldStreamResponse = options.shouldStreamResponse
        const sseStreamer: IServerSideEventStreamer = options.sseStreamer as IServerSideEventStreamer
        const chatId = options.chatId

        const credentialData = await getCredentialData(nodeData.credential ?? '', options)
        const accessToken = getCredentialParam('accessToken', credentialData, nodeData)

        let airtableData: ICommonObject[] = []

        // !!! Get Airtable data
        if (returnAll) {
            airtableData = await loadAll(baseId, tableId, accessToken)
        } else {
            airtableData = await loadLimit(limit ? parseInt(limit, 10) : 100, baseId, tableId, accessToken)
        }

        let base64String = Buffer.from(JSON.stringify(airtableData)).toString('base64')

        const loggerHandler = new ConsoleCallbackHandler(options.logger, options?.orgId)
        const callbacks = await additionalCallbacks(nodeData, options)

        const pyodide = await LoadPyodide()

        // First load the csv file and get the dataframe dictionary of column types
        // For example using titanic.csv: {'PassengerId': 'int64', 'Survived': 'int64', 'Pclass': 'int64', 'Name': 'object', 'Sex': 'object', 'Age': 'float64', 'SibSp': 'int64', 'Parch': 'int64', 'Ticket': 'object', 'Fare': 'float64', 'Cabin': 'object', 'Embarked': 'object'}
        let dataframeColDict = ''
        try {
            const code = `import pandas as pd
import base64
import json

base64_string = "${base64String}"

decoded_data = base64.b64decode(base64_string)

json_data = json.loads(decoded_data)

df = pd.DataFrame(json_data)
my_dict = df.dtypes.astype(str).to_dict()
print(my_dict)
json.dumps(my_dict)`
            dataframeColDict = await pyodide.runPythonAsync(code)
        } catch (error) {
            throw new Error(error)
        }

        // !!! ask LLM to come up with python script...
        // Then tell GPT to come out with ONLY python code
        // For example: len(df), df[df['SibSp'] > 3]['PassengerId'].count()
        let pythonCode = ''
        if (dataframeColDict) {
            const chain = new LLMChain({
                llm: model,
                // !!! prompt passed to LLM
                prompt: PromptTemplate.fromTemplate(systemPrompt),
                verbose: process.env.DEBUG === 'true' ? true : false
            })
            const inputs = {
                // !!! Airtable column names are also subbed into the system prompt which may also contain prompt injections
                dict: dataframeColDict,
                // !!! question, which is later subbed into the system prompt, is given the value of the user's prompt (which may contain prompt injections)
                question: input
            }
            const res = await chain.call(inputs, [loggerHandler, ...callbacks])
            // !!! the LLM's responce is assigned to the pythonCode variable
            pythonCode = res?.text
            // Regex to get rid of markdown code blocks syntax
            pythonCode = pythonCode.replace(/^```[a-z]+\n|\n```$/gm, '')
        }

        // Then run the code using Pyodide (only after validating to prevent RCE)
        let finalResult = ''
        if (pythonCode) {
            const validation = validatePythonCodeForDataFrame(pythonCode)
            if (!validation.valid) {
                throw new Error(
                    `Generated code was rejected for security reasons (${
                        validation.reason ?? 'unsafe construct'
                    }). Please rephrase your question to use only pandas DataFrame operations.`
                )
            }
            try {
                // !!! The python code is evaluated in a non-sandboxed environment
                const code = `import pandas as pd\n${pythonCode}`
                // TODO: get print console output
                finalResult = await pyodide.runPythonAsync(code)
            } catch (error) {
                throw new Error(`Sorry, I'm unable to find answer for question: "${input}" using following code: "${pythonCode}"`)
            }
        }

        // Finally, return a complete answer
        if (finalResult) {
            const chain = new LLMChain({
                llm: model,
                prompt: PromptTemplate.fromTemplate(finalSystemPrompt),
                verbose: process.env.DEBUG === 'true' ? true : false
            })
            const inputs = {
                question: input,
                answer: finalResult
            }

            if (options.shouldStreamResponse) {
                const handler = new CustomChainHandler(shouldStreamResponse ? sseStreamer : undefined, chatId)
                const result = await chain.call(inputs, [loggerHandler, handler, ...callbacks])
                return result?.text
            } else {
                const result = await chain.call(inputs, [loggerHandler, ...callbacks])
                return result?.text
            }
        }

        return pythonCode
    }
}

Proof of Concept

A proof of concept for this vulnerability is provided in ./poc.py. It expects the following syntax:

    python3 poc.py --method [server OR chatflow OR prompt_injection] [--user <USER> --passwd <password> --host <HOST> --r_host <R_HOST> --r_port <R_PORT> --l_port <L_PORT> --port <PORT> --cmd <CMD> --chatflow_id <CHAT_ID> --airtable_token <AIRTABLE_TOKEN> --base_id <BASE_ID> --table_id <TABLE_ID>]

Where USER is a username of a user on the server, PASSWORD is the user's password, HOST is the ip address of the vulnerable flowise server, R_HOST is the ip address of a malicious server started by this poc, R_PORT is the port a malicious server started by this poc is listening on (default: 5000), L_PORT is the port a malicious server started by this poc should listening on (default: 5000), PORT is the port the vulnerable flowise server is listening on (default: 3000), CMD is the command to execute on the flowise server (default: xcalc), CHAT_ID is the chatflow id of a chatflow using the Airflow Agent node, AIRTABLE_TOKEN is an api key for an Airtable account, BASE_ID is the base id to find an airflow table in, and TABLE_ID is the airflow table to use.

This poc has three modes of operation controlled by the method argument. The method argument may have any of the values "server" OR "chatflow" OR "prompt_injection".

method = "server"

By default the poc will start a malicious server listening on the port specified by the value. This server will respond to requests made to the "/api/chat" endpoint with a JSON object containing an LLM response that contains a malicious python script. This python script will execute a command specified by the value.

method = "chatflow"

By default, the poc will first establish an authenticated session on the server using the and arguments. It will then send a POST request to the "/api/v1/chatflow" endpoint with a JSON body containing a crafted chatflow using an Airflow Agent node and a ChatOllama node configured with a server specified by the and arguments. The Airflow Agent node will be configured using the , , and arguments. The default values of these arguments will be valid for 14 days from 2026-02-22. The poc will then send a POST request to the "/api/v1/internal-prediction/" endpoint in order to trigger a prediction using the chatflow.

It is intended that the server specified in the chatflow is a server started using the server method of this poc. When making a prediction against this chatflow, flowise will send a request to the specified server in order to generate an LLM response. The response recieved by flowise will be evaluated as a python script. Upon successful exploitation, The argument passed to the server method of this poc will be executed on the vulnerable flowise server.

method = "prompt_injection"

By default, the poc will send a POST request to the "/api/v1/prediction/chat_id" endpoint, where chat_id is a vulnerable chatflow id specified by the parameter. The JSON body of this request will contain a question member whose value will be a prompt containing a prompt injection. Upon successful exploitation, The argument will be executed on the vulnerable flowise server.

Due to the nature of LLM responses, it may take multiple attempts to be successful or require a different prompt injection technique depending on the model used.

Testing Environment

The provided proof of concept was tested using FlowiseAI Flowise version 3.0.13 runing on a Ubuntu 25.10 VM. The prompt injection method was tested using the Llama3.2 model running in Ollama.

Credits

Dre Cura (@dre_cura) and Nicholas Zubrisky (@NZubrisky) of TrendAI Research

How This Differs from CVE-2026-41138

CVE-2026-41138 introduced sanitization for the Pyodide code ran by the Airtable Agent. This advisory demonstrates a bypass of that sanitization, which we addressed separately by disallowing imports outright.

Severity ?

9.2 (Critical)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.0.13"
      },
      "package": {
        "ecosystem": "npm",
        "name": "flowise-components"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-18T00:46:04Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability\n\n-- ABSTRACT -------------------------------------\n\nTrend Micro\u0027s Zero Day Initiative has identified a vulnerability affecting the following products:\nFlowise - Flowise\n\n-- VULNERABILITY DETAILS ------------------------\n* Version tested:   3.0.13\n* Installer file:   hxxps://github.com/FlowiseAI/Flowise\n* Platform tested:  Ubuntu 25.10\n\n---\n\n### Analysis\n\n# FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability\n\nThis vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the run method of the Airtable_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.\n\n### Product information\n\nFlowiseAI Flowise version 3.0.13 (https://github.com/FlowiseAI/Flowise)\n\n### Setup Instructions\n\nnpm install -g flowise@3.0.13\nnpx flowise start\n\n### Root Cause Analysis\n\nFlowiseAI Flowise is an open source low-code tool for developers to build customized large language model (LLM) applications and AI agents. It supports integration with various LLMs, data sources, and tools in order to facilitate rapid development and deployment of AI solutions. Flowise offers a web interface with a drag-and-drop editor, as well as an API, through an Express web server accessible over HTTP on port 3000/TCP.\n\nOne such feature of Flowise is the ability to create chatflows. Chatflows use a drag and drop editor that allow a developer to place nodes which control how an interaction with a LLM will occur. One such node is the Airtable Agent node that represents an Agent used to answer queries on a provided Airtable table.\n\nWhen a user makes a query against a chatflow using the Airtable Agent node, the run method of the Airtable_Agents class will be called. This method will first request the contents of the Airtable table passed to the node and convert it to a base64 string. It will then set up a pyodide environment and create a python script to be executed in this environment. This python script will use pandas to extract the column names and their types from the Airtable table. The method will then create a system prompt for an LLM using this data as follows:\n\n```\nYou are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.\n{dict}\n\nI will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.\n\nSecurity: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.\n\nQuestion: {question}\nOutput Code:\n```\n\nWhere {dict} is the extracted column names and {question} is the initial prompt provided by the user.\n\nThis system prompt will be sent to an LLM in order for it to generate a python script based on the user\u0027s prompt, and the LLM generated response will be stored in a variable name pythonCode. The method will then evaluate the pythonCode variable in a pyodide environment.\n\nWhile the LLM-generated Python script is evaluated in a non-sandboxed environment, there is a list of forbidden patterns that are checked for before the script is executed on the server. The function validatePythonCodeForDataFrame() enumerates through a list, named FORBIDDEN_PATTERNS, which contains pairs of regex pattern and reasons. Each regex pattern is run against the Python script, and if the pattern is found in the script, the script is invalidated and is not run, responding to the request with a reason for rejection.\n\nThe input validation can be bypassed, which can still lead to running arbitrary OS commands on the server. An example of this is the pattern `/\\bimport\\s+(?!pandas|numpy\\b)/g`, which intends to search for lines of code which import a module other than pandas or numpy. This can be bypassed by importing along with pandas or numpy. For example, consider the following lines of code:\n\n```python\nimport pandas as np, os as pandas\npandas.system(\"xcalc\")\n```\n\npandas is imported, but so is the os module, with pandas as its alias. OS commands can then be invoked with `pandas.system()`. \n\nUsing prompt injection techniques, an unauthenticated attacker with the ability to send prompts to a chatflow using the Airtable Agent node may convince an LLM to respond with a malicious python script that executes attacker controlled commands on the flowise server.\n\nAn attacker can use this vulnerability to execute arbitrary python code, which can lead to arbitrary system commands being executed on the target server.\n\nIt is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled server in a chatflow. This server would respond to prompts with an attacker controlled python script instead of an LLM generated response, which would then be evaluated on the server.\n\nIt is also possible for an authenticated attacker to exploit this vulnerability by specifying an attacker controlled Airtable table in a chatflow. This airtable table would contain columns whose name contain prompt injections, that are later passed to an LLM to use when generating a python script.\n\ncomments documenting the issue have been added to the following code snippet. Added comments are prepended with \"!!!\".\n\nFrom packages/components/nodes/agents/AirtableAgent/core.ts\n```ts\nimport type { PyodideInterface } from \u0027pyodide\u0027\nimport * as path from \u0027path\u0027\nimport { getUserHome } from \u0027../../../src/utils\u0027\n\nlet pyodideInstance: PyodideInterface | undefined\n\nexport async function LoadPyodide(): Promise\u003cPyodideInterface\u003e {\n    if (pyodideInstance === undefined) {\n        const { loadPyodide } = await import(\u0027pyodide\u0027)\n        const obj: any = { packageCacheDir: path.join(getUserHome(), \u0027.flowise\u0027, \u0027pyodideCacheDir\u0027) }\n        pyodideInstance = await loadPyodide(obj)\n        await pyodideInstance.loadPackage([\u0027pandas\u0027, \u0027numpy\u0027])\n    }\n\n    return pyodideInstance\n}\n\nexport const systemPrompt = `You are working with a pandas dataframe in Python. The name of the dataframe is df.\n\nThe columns and data types of a dataframe are given below as a Python dictionary with keys showing column names and values showing the data types.\n{dict}\n\nI will ask question, and you will output the Python code using pandas dataframe to answer my question. Do not provide any explanations. Do not respond with anything except the output of the code.\n\nSecurity: Output ONLY pandas/numpy operations on the dataframe (df). Do not use import, exec, eval, open, os, subprocess, or any other system or file operations. The code will be validated and rejected if it contains such constructs.\n\nQuestion: {question}\nOutput Code:`\n\nexport const finalSystemPrompt = `You are given the question: {question}. You have an answer to the question: {answer}. Rephrase the answer into a standalone answer.\nStandalone Answer:`\n```\n\nFrom packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts\n```ts\nimport axios from \u0027axios\u0027\nimport { BaseLanguageModel } from \u0027@langchain/core/language_models/base\u0027\nimport { AgentExecutor } from \u0027langchain/agents\u0027\nimport { LLMChain } from \u0027langchain/chains\u0027\nimport { ICommonObject, INode, INodeData, INodeParams, IServerSideEventStreamer, PromptTemplate } from \u0027../../../src/Interface\u0027\nimport { getBaseClasses, getCredentialData, getCredentialParam } from \u0027../../../src/utils\u0027\nimport { ConsoleCallbackHandler, CustomChainHandler, additionalCallbacks } from \u0027../../../src/handler\u0027\nimport { LoadPyodide, finalSystemPrompt, systemPrompt } from \u0027./core\u0027\nimport { validatePythonCodeForDataFrame } from \u0027../../../src/pythonCodeValidator\u0027\nimport { checkInputs, Moderation } from \u0027../../moderation/Moderation\u0027\nimport { formatResponse } from \u0027../../outputparsers/OutputParserHelpers\u0027\n\nclass Airtable_Agents implements INode {\n    label: string\n    name: string\n    version: number\n    description: string\n    type: string\n    icon: string\n    category: string\n    baseClasses: string[]\n    credential: INodeParams\n    inputs: INodeParams[]\n\n    // !!! [... Truncated for Readability ...]\n\n    // !!! input variable holds prompt from user\n    async run(nodeData: INodeData, input: string, options: ICommonObject): Promise\u003cstring | object\u003e {\n        const model = nodeData.inputs?.model as BaseLanguageModel\n        const baseId = nodeData.inputs?.baseId as string\n        const tableId = nodeData.inputs?.tableId as string\n        const returnAll = nodeData.inputs?.returnAll as boolean\n        const limit = nodeData.inputs?.limit as string\n        const moderations = nodeData.inputs?.inputModeration as Moderation[]\n\n        // !!! the chatflow may contain moderation nodes that search for prompt injections, but these may not protect from every type of injection\n        if (moderations \u0026\u0026 moderations.length \u003e 0) {\n            try {\n                // Use the output of the moderation chain as input for the Vectara chain\n                input = await checkInputs(moderations, input)\n            } catch (e) {\n                await new Promise((resolve) =\u003e setTimeout(resolve, 500))\n                // if (options.shouldStreamResponse) {\n                //     streamResponse(options.sseStreamer, options.chatId, e.message)\n                // }\n                return formatResponse(e.message)\n            }\n        }\n\n        const shouldStreamResponse = options.shouldStreamResponse\n        const sseStreamer: IServerSideEventStreamer = options.sseStreamer as IServerSideEventStreamer\n        const chatId = options.chatId\n\n        const credentialData = await getCredentialData(nodeData.credential ?? \u0027\u0027, options)\n        const accessToken = getCredentialParam(\u0027accessToken\u0027, credentialData, nodeData)\n\n        let airtableData: ICommonObject[] = []\n\n        // !!! Get Airtable data\n        if (returnAll) {\n            airtableData = await loadAll(baseId, tableId, accessToken)\n        } else {\n            airtableData = await loadLimit(limit ? parseInt(limit, 10) : 100, baseId, tableId, accessToken)\n        }\n\n        let base64String = Buffer.from(JSON.stringify(airtableData)).toString(\u0027base64\u0027)\n\n        const loggerHandler = new ConsoleCallbackHandler(options.logger, options?.orgId)\n        const callbacks = await additionalCallbacks(nodeData, options)\n\n        const pyodide = await LoadPyodide()\n\n        // First load the csv file and get the dataframe dictionary of column types\n        // For example using titanic.csv: {\u0027PassengerId\u0027: \u0027int64\u0027, \u0027Survived\u0027: \u0027int64\u0027, \u0027Pclass\u0027: \u0027int64\u0027, \u0027Name\u0027: \u0027object\u0027, \u0027Sex\u0027: \u0027object\u0027, \u0027Age\u0027: \u0027float64\u0027, \u0027SibSp\u0027: \u0027int64\u0027, \u0027Parch\u0027: \u0027int64\u0027, \u0027Ticket\u0027: \u0027object\u0027, \u0027Fare\u0027: \u0027float64\u0027, \u0027Cabin\u0027: \u0027object\u0027, \u0027Embarked\u0027: \u0027object\u0027}\n        let dataframeColDict = \u0027\u0027\n        try {\n            const code = `import pandas as pd\nimport base64\nimport json\n\nbase64_string = \"${base64String}\"\n\ndecoded_data = base64.b64decode(base64_string)\n\njson_data = json.loads(decoded_data)\n\ndf = pd.DataFrame(json_data)\nmy_dict = df.dtypes.astype(str).to_dict()\nprint(my_dict)\njson.dumps(my_dict)`\n            dataframeColDict = await pyodide.runPythonAsync(code)\n        } catch (error) {\n            throw new Error(error)\n        }\n\n        // !!! ask LLM to come up with python script...\n        // Then tell GPT to come out with ONLY python code\n        // For example: len(df), df[df[\u0027SibSp\u0027] \u003e 3][\u0027PassengerId\u0027].count()\n        let pythonCode = \u0027\u0027\n        if (dataframeColDict) {\n            const chain = new LLMChain({\n                llm: model,\n                // !!! prompt passed to LLM\n                prompt: PromptTemplate.fromTemplate(systemPrompt),\n                verbose: process.env.DEBUG === \u0027true\u0027 ? true : false\n            })\n            const inputs = {\n                // !!! Airtable column names are also subbed into the system prompt which may also contain prompt injections\n                dict: dataframeColDict,\n                // !!! question, which is later subbed into the system prompt, is given the value of the user\u0027s prompt (which may contain prompt injections)\n                question: input\n            }\n            const res = await chain.call(inputs, [loggerHandler, ...callbacks])\n            // !!! the LLM\u0027s responce is assigned to the pythonCode variable\n            pythonCode = res?.text\n            // Regex to get rid of markdown code blocks syntax\n            pythonCode = pythonCode.replace(/^```[a-z]+\\n|\\n```$/gm, \u0027\u0027)\n        }\n\n        // Then run the code using Pyodide (only after validating to prevent RCE)\n        let finalResult = \u0027\u0027\n        if (pythonCode) {\n            const validation = validatePythonCodeForDataFrame(pythonCode)\n            if (!validation.valid) {\n                throw new Error(\n                    `Generated code was rejected for security reasons (${\n                        validation.reason ?? \u0027unsafe construct\u0027\n                    }). Please rephrase your question to use only pandas DataFrame operations.`\n                )\n            }\n            try {\n                // !!! The python code is evaluated in a non-sandboxed environment\n                const code = `import pandas as pd\\n${pythonCode}`\n                // TODO: get print console output\n                finalResult = await pyodide.runPythonAsync(code)\n            } catch (error) {\n                throw new Error(`Sorry, I\u0027m unable to find answer for question: \"${input}\" using following code: \"${pythonCode}\"`)\n            }\n        }\n\n        // Finally, return a complete answer\n        if (finalResult) {\n            const chain = new LLMChain({\n                llm: model,\n                prompt: PromptTemplate.fromTemplate(finalSystemPrompt),\n                verbose: process.env.DEBUG === \u0027true\u0027 ? true : false\n            })\n            const inputs = {\n                question: input,\n                answer: finalResult\n            }\n\n            if (options.shouldStreamResponse) {\n                const handler = new CustomChainHandler(shouldStreamResponse ? sseStreamer : undefined, chatId)\n                const result = await chain.call(inputs, [loggerHandler, handler, ...callbacks])\n                return result?.text\n            } else {\n                const result = await chain.call(inputs, [loggerHandler, ...callbacks])\n                return result?.text\n            }\n        }\n\n        return pythonCode\n    }\n}\n\n```\n\n### Proof of Concept\n\nA proof of concept for this vulnerability is provided in ./poc.py. It expects the following syntax:\n\n```\n    python3 poc.py --method [server OR chatflow OR prompt_injection] [--user \u003cUSER\u003e --passwd \u003cpassword\u003e --host \u003cHOST\u003e --r_host \u003cR_HOST\u003e --r_port \u003cR_PORT\u003e --l_port \u003cL_PORT\u003e --port \u003cPORT\u003e --cmd \u003cCMD\u003e --chatflow_id \u003cCHAT_ID\u003e --airtable_token \u003cAIRTABLE_TOKEN\u003e --base_id \u003cBASE_ID\u003e --table_id \u003cTABLE_ID\u003e]\n```\n\nWhere USER is a username of a user on the server, PASSWORD is the user\u0027s password, HOST is the ip address of the vulnerable flowise server, R_HOST is the ip address of a malicious server started by this poc, R_PORT is the port a malicious server started by this poc is listening on (default: 5000), L_PORT is the port a malicious server started by this poc should listening on (default: 5000), PORT is the port the vulnerable flowise server is listening on (default: 3000), CMD is the command to execute on the flowise server (default: xcalc), CHAT_ID is the chatflow id of a chatflow using the Airflow Agent node, AIRTABLE_TOKEN is an api key for an Airtable account, BASE_ID is the base id to find an airflow table in, and TABLE_ID is the airflow table to use. \n\nThis poc has three modes of operation controlled by the method argument. The method argument may have any of the values \"server\" OR \"chatflow\" OR \"prompt_injection\".\n\n#### method = \"server\"\n\nBy default the poc will start a malicious server listening on the port specified by the \u003cL_PORT\u003e value. This server will respond to requests made to the \"/api/chat\" endpoint with a JSON object containing an LLM response that contains a malicious python script. This python script will execute a command specified by the \u003cCMD\u003e value.\n\n#### method = \"chatflow\"\n\nBy default, the poc will first establish an authenticated session on the server using the \u003cUSER\u003e and \u003cPASSWORD\u003e arguments. It will then send a POST request to the \"/api/v1/chatflow\" endpoint with a JSON body containing a crafted chatflow using an Airflow Agent node and a ChatOllama node configured with a server specified by the \u003cR_HOST\u003e and \u003cR_PORT\u003e arguments. The Airflow Agent node will be configured using the \u003cAIRTABLE_TOKEN\u003e, \u003cBASE_ID\u003e, and \u003cTABLE_ID\u003e arguments. The default values of these arguments will be valid for 14 days from 2026-02-22. The poc will then send a POST request to the \"/api/v1/internal-prediction/\" endpoint in order to trigger a prediction using the chatflow. \n\nIt is intended that the server specified in the chatflow is a server started using the server method of this poc. When making a prediction against this chatflow, flowise will send a request to the specified server in order to generate an LLM response. The response recieved by flowise will be evaluated as a python script. Upon successful exploitation, The \u003cCMD\u003e argument passed to the server method of this poc will be executed on the vulnerable flowise server. \n\n#### method = \"prompt_injection\"\n\nBy default, the poc will send a POST request to the \"/api/v1/prediction/*chat_id*\" endpoint, where *chat_id* is a vulnerable chatflow id specified by the \u003cCHAT_ID\u003e parameter. The JSON body of this request will contain a question member whose value will be a prompt containing a prompt injection. Upon successful exploitation, The \u003cCMD\u003e argument will be executed on the vulnerable flowise server.\n\nDue to the nature of LLM responses, it may take multiple attempts to be successful or require a different prompt injection technique depending on the model used.\n\n### Testing Environment\n\nThe provided proof of concept was tested using FlowiseAI Flowise version 3.0.13 runing on a Ubuntu 25.10 VM. The prompt injection method was tested using the Llama3.2 model running in Ollama.\n\n\n### Credits\n\nDre Cura (@dre_cura) and Nicholas Zubrisky (@NZubrisky) of TrendAI Research\n\n### How This Differs from CVE-2026-41138\nCVE-2026-41138 introduced sanitization for the Pyodide code ran by the Airtable Agent. This advisory demonstrates a bypass of that sanitization, which we addressed separately by disallowing imports outright.",
  "id": "GHSA-v38x-c887-992f",
  "modified": "2026-04-18T00:46:04Z",
  "published": "2026-04-18T00:46:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/FlowiseAI/Flowise"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41265 (GCVE-0-2026-41265)

FKIE_CVE-2026-41265

GHSA-V38X-C887-992F

Analysis

FlowiseAI Flowise Airtable Agent pythonCode Prompt Injection Remote Code Execution Vulnerability

Product information

Setup Instructions

Root Cause Analysis

Proof of Concept

method = "server"

method = "chatflow"

method = "prompt_injection"

Testing Environment

Credits

How This Differs from CVE-2026-41138

Tags

Sightings

Nomenclature