Main Vulnerability Database Vulnerabilities #VU129624

Code Injection in Flowise - CVE-2026-41138

Published: May 4, 2026

Vulnerability identifier: #VU129624

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-41138

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: FlowiseAI

Affected software:
Flowise

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in AirtableAgent.ts when processing user-supplied prompt input with Pandas through the LLMChain workflow. A remote user can send a specially crafted prompt injection payload to execute arbitrary code.

The issue occurs because user input is reflected into generated Python code that is subsequently executed by Pyodide.

How to mitigate CVE-2026-41138

Install security update from vendor's website.

Sources

https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6

Code Injection in Flowise - CVE-2026-41138

Detailed vulnerability description

How to mitigate CVE-2026-41138

Sources

Please verify you're human