Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack...

8.3 / 10

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

Description

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user’s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.

Basic Information

ID CVE-2026-41138

Source GitHub_M

Published Apr 23, 2026 at 19:05

Affected Product

Vendor FlowiseAI

Product Flowise

Version < 3.1.0

Affected Versions FlowiseAI Flowise < 3.1.0

CWE Classification

CWE-94

References

github.com /FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6

{
    "lastseen": "",
    "description": "Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, there is a remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas. The user\u2019s input is directly applied to the question parameter within the prompt template and it is reflected to the Python code without any sanitization. This vulnerability is fixed in 3.1.0.",
    "published": "2026-04-23T19:05:22.327Z",
    "modified": "2026-04-23T19:05:22.327Z",
    "type": "cve",
    "title": "Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas.",
    "source": "GitHub_M",
    "references": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-f228-chmx-v6j6",
    "id": "CVE-2026-41138",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "FlowiseAI Flowise < 3.1.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Flowise",
    "version": "< 3.1.0",
    "vendor": "FlowiseAI",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using Pandas._CVE-2026-41138