CVE-2026-41265 - Flowise Airtable Agent code injection RCE
Flowise versions 3.0.13 and earlier allow remote code execution through the
Airtable Agent node. The node asks an LLM to generate Python code for a pandas
dataframe, validates that generated code with deny-list patterns, then executes
it in a Pyodide runtime on the Flowise server.
The advisory describes several ways attacker-controlled content can shape the generated Python: direct prompts sent to a vulnerable chatflow, an attacker-run model endpoint configured by an authenticated user, or prompt-injection text in Airtable data and column names. Because the validator was bypassable, generated code could reach OS command execution in the context of the Flowise server.
When to use it
- A repository deploys, builds, images, configures, seeds, or documents Flowise
<=3.0.13orflowise-components <=3.0.13. - Chatflows include Airtable Agent nodes, public prediction endpoints, tenant-created flows, arbitrary model endpoints, or Airtable data controlled by untrusted users.
- Flowise runtimes can reach LLM keys, Airtable tokens, source workspaces, internal services, cloud credentials, or writable deployment storage.
- You need a bounded PR or triage note that upgrades Flowise and blocks vulnerable Airtable Agent execution during rollout.
Inputs
- Package manifests, lockfiles, Docker/Compose/Helm/K8s/Terraform artifacts, seed/exported chatflows, environment templates, gateway policies, SBOMs, deployment renders, and runbooks.
- Flowise and
flowise-componentsversions, Airtable Agent usage, public prediction routes, chatflow author roles, model endpoint policy, runtime egress, prompt/generated-code logs, and credential rotation owners. - Available package install, chatflow import checks, API/gateway policy tests, image build, deployment diff, SBOM, and dependency/security scans.
Affected versions
- Vulnerable:
flowise <=3.0.13 - Vulnerable:
flowise-components <=3.0.13 - Fixed:
flowise 3.1.0+andflowise-components 3.1.0+ - Affected component: Airtable Agent node code generation and evaluation.
Indicator-of-exposure
- The repository deploys, builds, or documents Flowise
<=3.0.13. - A chatflow uses the Airtable Agent node.
- Prediction or internal-prediction endpoints are reachable by untrusted users, unauthenticated users, public chat embeds, webhooks, or tenant-controlled integrations.
- Authenticated users can create chatflows that point to arbitrary model servers or attacker-controlled Airtable data.
- The Flowise process has access to LLM provider keys, Airtable tokens, source repositories, internal services, cloud credentials, or writable deployment storage.
Quick checks:
rg -n "flowise|flowise-components|AirtableAgent|Airtable_Agents|validatePythonCodeForDataFrame|pyodide|internal-prediction|/api/v1/prediction" .
npm ls flowise flowise-components
pnpm why flowise flowise-components
yarn why flowise flowise-components
rg -n "Airtable Agent|airtable.*agent|chatflow|prediction|FLOWISE|FLOWISE_USERNAME|FLOWISE_PASSWORD" Dockerfile* docker-compose*.yml charts deploy k8s .github .
Remediation strategy
- Upgrade
flowiseandflowise-componentsto3.1.0+everywhere this repository controls package manifests, lockfiles, images, or deployment manifests. - Until the fixed version is deployed, disable Airtable Agent nodes and block public or tenant prediction routes for chatflows containing that node.
- Prevent untrusted users from configuring arbitrary model endpoints, Airtable bases, or chatflows that can trigger server-side generated-code evaluation.
- Treat LLM-generated code as untrusted code. Prefer removing server-side eval of generated Python; otherwise enforce a positive AST-level allow-list and run evaluation in a constrained, no-network, no-filesystem sandbox.
- Rotate Flowise, Airtable, model provider, and runtime credentials if exposed chatflows could have reached the vulnerable node.
The prompt
You are remediating CVE-2026-41265 (Flowise Airtable Agent code injection
remote code execution). Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Flowise, disables exposed
Airtable Agent execution until patched, adds regression coverage, and
documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected Flowise deployment or
cannot make a safe change.
## Rules
- Scope only CVE-2026-41265 / GHSA-v38x-c887-992f.
- Treat Flowise credentials, Airtable tokens, LLM provider keys, chatflow
payloads, prompt logs, generated Python, environment variables, and workspace
files as sensitive.
- Do not run exploit payloads, reverse shells, shell commands, or attacker-like
generated Python against production, staging, shared dev, or real Flowise
instances.
- Do not rely on LLM prompt instructions or string deny-lists as the only
security control for generated code.
- Do not auto-merge.
## Steps
1. Inventory every Flowise runtime controlled by this repository:
`package.json`, lockfiles, Dockerfiles, compose files, Helm charts,
Kubernetes manifests, Terraform, Ansible, CI images, SBOMs, seed chatflows,
exported chatflow JSON, environment templates, and runbooks.
2. Determine every resolved `flowise` and `flowise-components` version. A target
is vulnerable if either package resolves to `<=3.0.13`.
3. Search for Airtable Agent exposure:
- Airtable Agent nodes in exported chatflows;
- public chat embeds or unauthenticated prediction routes;
- tenant-controlled chatflow creation;
- arbitrary model-server configuration;
- Airtable table, column, or prompt content that can reach generated Python.
4. If this repository does not deploy Flowise or only contains unrelated client
code, stop with `TRIAGE.md` listing files checked and the runtime owner.
5. Upgrade all controlled Flowise packages and images to `3.1.0+`. Regenerate
lockfiles, image digests, SBOMs, and deployment render output.
6. Add containment where this repo controls it:
- disable Airtable Agent chatflows until every runtime is patched;
- block public prediction calls to vulnerable chatflows at the API gateway;
- restrict chatflow creation and model endpoint configuration to trusted
administrators;
- fail closed if node type or Flowise version cannot be determined.
7. Add regression tests or policy checks that do not execute system commands:
- vulnerable package versions are rejected by dependency policy;
- Airtable Agent chatflows cannot be publicly exposed on vulnerable
versions;
- generated Python containing imports, attribute tricks, file access,
subprocess/system calls, or network access is rejected before execution;
- the evaluator is disabled, sandboxed, or upgraded according to the fixed
runtime contract.
8. Add operator hardening:
- least-privilege Flowise service identity;
- no cloud or deployment-admin credentials in the Flowise process;
- egress restrictions for Flowise workers;
- secret redaction in chatflow, prompt, and generated-code logs.
9. Add a PR body section named `CVE-2026-41265 operator actions` that states:
- Flowise versions before and after the change;
- whether any Airtable Agent chatflow was public or tenant reachable;
- which Airtable, LLM provider, Flowise, and runtime credentials require
rotation;
- which Flowise prediction logs and process logs should be reviewed for
rejected generated code or suspicious child processes;
- any temporary route block or feature disablement still in place.
10. Run relevant validation: package install, lockfile integrity, unit/API
tests, chatflow import checks, gateway policy tests, image build, deployment
diff, SBOM refresh, and dependency/security scans available in this repo.
11. Use PR title:
`fix(sec): remediate CVE-2026-41265 in Flowise Airtable Agent`.
## Stop conditions
- No affected Flowise runtime is controlled by this repository.
- A fixed Flowise version cannot be consumed without a broader migration.
- The product intentionally depends on public Airtable Agent chatflows executing
LLM-generated Python; document the risk and require a product/security
decision.
- Verification would require executing attacker-controlled code or commands.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled package, lockfile, image, SBOM, or deployment target resolves
flowiseorflowise-componentsto<=3.0.13. - Airtable Agent chatflows are disabled, admin-only, or fixed before they are reachable by untrusted prompts.
- Tests or policy checks prove generated Python cannot import modules, open files, spawn commands, or reach network/system APIs.
- Gateway or feature-flag containment exists for non-atomic rollouts.
- Operator actions cover credential rotation and log review when exposure was possible.
Output contract
- Reviewer-ready PR upgrading all controlled Flowise packages/images to
3.1.0+with refreshed locks, image digests, SBOMs, and deployment renders. - Containment that disables or blocks public/tenant-reachable Airtable Agent chatflows until every runtime is patched.
- Regression or policy checks proving vulnerable versions are rejected, generated Python cannot import/open/spawn/reach network/system APIs, and model endpoint/chatflow creation is trusted-only where needed.
TRIAGE.mdwhen Flowise runtime, chatflow ownership, gateway containment, or credential/log review is outside this repository.
Watch for
- Upgrading the Flowise app package while old
flowise-componentscode remains in an image layer or global npm install. - Treating authenticated chatflow authors as trusted when tenants can configure model endpoints or Airtable data.
- Leaving public prediction routes enabled for old exported chatflows.
- Logging full generated Python, Airtable data, or provider credentials during debugging.
Related recipes
- CVE-2025-3248 Langflow validate/code RCE
- CVE-2026-27494 n8n Python Code node sandbox escape
- Browser agent boundary
References
- GitHub Advisory: https://github.com/advisories/GHSA-v38x-c887-992f
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-41265
- Flowise project: https://github.com/FlowiseAI/Flowise