CVE-2026-41265 - Flowise Airtable Agent code injection RCE

Flowise versions 3.0.13 and earlier allow remote code execution through the Airtable Agent node. The node asks an LLM to generate Python code for a pandas dataframe, validates that generated code with deny-list patterns, then executes it in a Pyodide runtime on the Flowise server.

The advisory describes several ways attacker-controlled content can shape the generated Python: direct prompts sent to a vulnerable chatflow, an attacker-run model endpoint configured by an authenticated user, or prompt-injection text in Airtable data and column names. Because the validator was bypassable, generated code could reach OS command execution in the context of the Flowise server.

When to use it

  • A repository deploys, builds, images, configures, seeds, or documents Flowise <=3.0.13 or flowise-components <=3.0.13.
  • Chatflows include Airtable Agent nodes, public prediction endpoints, tenant-created flows, arbitrary model endpoints, or Airtable data controlled by untrusted users.
  • Flowise runtimes can reach LLM keys, Airtable tokens, source workspaces, internal services, cloud credentials, or writable deployment storage.
  • You need a bounded PR or triage note that upgrades Flowise and blocks vulnerable Airtable Agent execution during rollout.

Inputs

  • Package manifests, lockfiles, Docker/Compose/Helm/K8s/Terraform artifacts, seed/exported chatflows, environment templates, gateway policies, SBOMs, deployment renders, and runbooks.
  • Flowise and flowise-components versions, Airtable Agent usage, public prediction routes, chatflow author roles, model endpoint policy, runtime egress, prompt/generated-code logs, and credential rotation owners.
  • Available package install, chatflow import checks, API/gateway policy tests, image build, deployment diff, SBOM, and dependency/security scans.

Affected versions

  • Vulnerable: flowise <=3.0.13
  • Vulnerable: flowise-components <=3.0.13
  • Fixed: flowise 3.1.0+ and flowise-components 3.1.0+
  • Affected component: Airtable Agent node code generation and evaluation.

Indicator-of-exposure

  • The repository deploys, builds, or documents Flowise <=3.0.13.
  • A chatflow uses the Airtable Agent node.
  • Prediction or internal-prediction endpoints are reachable by untrusted users, unauthenticated users, public chat embeds, webhooks, or tenant-controlled integrations.
  • Authenticated users can create chatflows that point to arbitrary model servers or attacker-controlled Airtable data.
  • The Flowise process has access to LLM provider keys, Airtable tokens, source repositories, internal services, cloud credentials, or writable deployment storage.

Quick checks:

rg -n "flowise|flowise-components|AirtableAgent|Airtable_Agents|validatePythonCodeForDataFrame|pyodide|internal-prediction|/api/v1/prediction" .
npm ls flowise flowise-components
pnpm why flowise flowise-components
yarn why flowise flowise-components
rg -n "Airtable Agent|airtable.*agent|chatflow|prediction|FLOWISE|FLOWISE_USERNAME|FLOWISE_PASSWORD" Dockerfile* docker-compose*.yml charts deploy k8s .github .

Remediation strategy

  • Upgrade flowise and flowise-components to 3.1.0+ everywhere this repository controls package manifests, lockfiles, images, or deployment manifests.
  • Until the fixed version is deployed, disable Airtable Agent nodes and block public or tenant prediction routes for chatflows containing that node.
  • Prevent untrusted users from configuring arbitrary model endpoints, Airtable bases, or chatflows that can trigger server-side generated-code evaluation.
  • Treat LLM-generated code as untrusted code. Prefer removing server-side eval of generated Python; otherwise enforce a positive AST-level allow-list and run evaluation in a constrained, no-network, no-filesystem sandbox.
  • Rotate Flowise, Airtable, model provider, and runtime credentials if exposed chatflows could have reached the vulnerable node.

The prompt

You are remediating CVE-2026-41265 (Flowise Airtable Agent code injection
remote code execution). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Flowise, disables exposed
  Airtable Agent execution until patched, adds regression coverage, and
  documents operator cleanup, or
- TRIAGE.md if this repository does not own an affected Flowise deployment or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41265 / GHSA-v38x-c887-992f.
- Treat Flowise credentials, Airtable tokens, LLM provider keys, chatflow
  payloads, prompt logs, generated Python, environment variables, and workspace
  files as sensitive.
- Do not run exploit payloads, reverse shells, shell commands, or attacker-like
  generated Python against production, staging, shared dev, or real Flowise
  instances.
- Do not rely on LLM prompt instructions or string deny-lists as the only
  security control for generated code.
- Do not auto-merge.

## Steps

1. Inventory every Flowise runtime controlled by this repository:
   `package.json`, lockfiles, Dockerfiles, compose files, Helm charts,
   Kubernetes manifests, Terraform, Ansible, CI images, SBOMs, seed chatflows,
   exported chatflow JSON, environment templates, and runbooks.
2. Determine every resolved `flowise` and `flowise-components` version. A target
   is vulnerable if either package resolves to `<=3.0.13`.
3. Search for Airtable Agent exposure:
   - Airtable Agent nodes in exported chatflows;
   - public chat embeds or unauthenticated prediction routes;
   - tenant-controlled chatflow creation;
   - arbitrary model-server configuration;
   - Airtable table, column, or prompt content that can reach generated Python.
4. If this repository does not deploy Flowise or only contains unrelated client
   code, stop with `TRIAGE.md` listing files checked and the runtime owner.
5. Upgrade all controlled Flowise packages and images to `3.1.0+`. Regenerate
   lockfiles, image digests, SBOMs, and deployment render output.
6. Add containment where this repo controls it:
   - disable Airtable Agent chatflows until every runtime is patched;
   - block public prediction calls to vulnerable chatflows at the API gateway;
   - restrict chatflow creation and model endpoint configuration to trusted
     administrators;
   - fail closed if node type or Flowise version cannot be determined.
7. Add regression tests or policy checks that do not execute system commands:
   - vulnerable package versions are rejected by dependency policy;
   - Airtable Agent chatflows cannot be publicly exposed on vulnerable
     versions;
   - generated Python containing imports, attribute tricks, file access,
     subprocess/system calls, or network access is rejected before execution;
   - the evaluator is disabled, sandboxed, or upgraded according to the fixed
     runtime contract.
8. Add operator hardening:
   - least-privilege Flowise service identity;
   - no cloud or deployment-admin credentials in the Flowise process;
   - egress restrictions for Flowise workers;
   - secret redaction in chatflow, prompt, and generated-code logs.
9. Add a PR body section named `CVE-2026-41265 operator actions` that states:
   - Flowise versions before and after the change;
   - whether any Airtable Agent chatflow was public or tenant reachable;
   - which Airtable, LLM provider, Flowise, and runtime credentials require
     rotation;
   - which Flowise prediction logs and process logs should be reviewed for
     rejected generated code or suspicious child processes;
   - any temporary route block or feature disablement still in place.
10. Run relevant validation: package install, lockfile integrity, unit/API
    tests, chatflow import checks, gateway policy tests, image build, deployment
    diff, SBOM refresh, and dependency/security scans available in this repo.
11. Use PR title:
    `fix(sec): remediate CVE-2026-41265 in Flowise Airtable Agent`.

## Stop conditions

- No affected Flowise runtime is controlled by this repository.
- A fixed Flowise version cannot be consumed without a broader migration.
- The product intentionally depends on public Airtable Agent chatflows executing
  LLM-generated Python; document the risk and require a product/security
  decision.
- Verification would require executing attacker-controlled code or commands.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled package, lockfile, image, SBOM, or deployment target resolves flowise or flowise-components to <=3.0.13.
  • Airtable Agent chatflows are disabled, admin-only, or fixed before they are reachable by untrusted prompts.
  • Tests or policy checks prove generated Python cannot import modules, open files, spawn commands, or reach network/system APIs.
  • Gateway or feature-flag containment exists for non-atomic rollouts.
  • Operator actions cover credential rotation and log review when exposure was possible.

Output contract

  • Reviewer-ready PR upgrading all controlled Flowise packages/images to 3.1.0+ with refreshed locks, image digests, SBOMs, and deployment renders.
  • Containment that disables or blocks public/tenant-reachable Airtable Agent chatflows until every runtime is patched.
  • Regression or policy checks proving vulnerable versions are rejected, generated Python cannot import/open/spawn/reach network/system APIs, and model endpoint/chatflow creation is trusted-only where needed.
  • TRIAGE.md when Flowise runtime, chatflow ownership, gateway containment, or credential/log review is outside this repository.

Watch for

  • Upgrading the Flowise app package while old flowise-components code remains in an image layer or global npm install.
  • Treating authenticated chatflow authors as trusted when tenants can configure model endpoints or Airtable data.
  • Leaving public prediction routes enabled for old exported chatflows.
  • Logging full generated Python, Airtable data, or provider credentials during debugging.

References