CVE-2026-41265 - Flowise Airtable Agent code injection RCE

rg -n "flowise|flowise-components|AirtableAgent|Airtable_Agents|validatePythonCodeForDataFrame|pyodide|internal-prediction|/api/v1/prediction" .
npm ls flowise flowise-components
pnpm why flowise flowise-components
yarn why flowise flowise-components
rg -n "Airtable Agent|airtable.*agent|chatflow|prediction|FLOWISE|FLOWISE_USERNAME|FLOWISE_PASSWORD" Dockerfile* docker-compose*.yml charts deploy k8s .github .

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41265 (Flowise Airtable Agent code injection
remote code execution). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Flowise, disables exposed
  Airtable Agent execution until patched, adds regression coverage, and
  documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected Flowise deployment or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41265 / GHSA-v38x-c887-992f.
- Treat Flowise credentials, Airtable tokens, LLM provider keys, chatflow
  payloads, prompt logs, generated Python, environment variables, and workspace
  files as sensitive.
- Do not run exploit payloads, reverse shells, shell commands, or attacker-like
  generated Python against production, staging, shared dev, or real Flowise
  instances.
- Do not rely on LLM prompt instructions or string deny-lists as the only
  security control for generated code.
- Do not auto-merge.

## Steps

1. Inventory every Flowise runtime controlled by this repository:
   `package.json`, lockfiles, Dockerfiles, compose files, Helm charts,
   Kubernetes manifests, Terraform, Ansible, CI images, SBOMs, seed chatflows,
   exported chatflow JSON, environment templates, and runbooks.
2. Determine every resolved `flowise` and `flowise-components` version. A target
   is vulnerable if either package resolves to `<=3.0.13`.
3. Search for Airtable Agent exposure:
   - Airtable Agent nodes in exported chatflows;
   - public chat embeds or unauthenticated prediction routes;
   - tenant-controlled chatflow creation;
   - arbitrary model-server configuration;
   - Airtable table, column, or prompt content that can reach generated Python.
4. If this repository does not deploy Flowise or only contains unrelated client
   code, stop with `TRIAGE.md` listing files checked and the runtime owner.
5. Upgrade all controlled Flowise packages and images to `3.1.0+`. Regenerate
   lockfiles, image digests, SBOMs, and deployment render output.
6. Add containment where this repo controls it:
   - disable Airtable Agent chatflows until every runtime is patched;
   - block public prediction calls to vulnerable chatflows at the API gateway;
   - restrict chatflow creation and model endpoint configuration to trusted
     administrators;
   - fail closed if node type or Flowise version cannot be determined.
7. Add regression tests or policy checks that do not execute system commands:
   - vulnerable package versions are rejected by dependency policy;
   - Airtable Agent chatflows cannot be publicly exposed on vulnerable
     versions;
   - generated Python containing imports, attribute tricks, file access,
     subprocess/system calls, or network access is rejected before execution;
   - the evaluator is disabled, sandboxed, or upgraded according to the fixed
     runtime contract.
8. Add operator hardening:
   - least-privilege Flowise service identity;
   - no cloud or deployment-admin credentials in the Flowise process;
   - egress restrictions for Flowise workers;
   - secret redaction in chatflow, prompt, and generated-code logs.
9. Add a PR body section named `CVE-2026-41265 operator actions` that states:
   - Flowise versions before and after the change;
   - whether any Airtable Agent chatflow was public or tenant reachable;
   - which Airtable, LLM provider, Flowise, and runtime credentials require
     rotation;
   - which Flowise prediction logs and process logs should be reviewed for
     rejected generated code or suspicious child processes;
   - any temporary route block or feature disablement still in place.
10. Run relevant validation: package install, lockfile integrity, unit/API
    tests, chatflow import checks, gateway policy tests, image build, deployment
    diff, SBOM refresh, and dependency/security scans available in this repo.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41265 in Flowise Airtable Agent`.

## Stop conditions

- No affected Flowise runtime is controlled by this repository.
- A fixed Flowise version cannot be consumed without a broader migration.
- The product intentionally depends on public Airtable Agent chatflows executing
  LLM-generated Python; document the risk and require a product/security
  decision.
- Verification would require executing attacker-controlled code or commands.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.