Flowise fixes multiple flaws enabling RCE, tenant abuse, and API credit theft
Flowise disclosed and fixed a cluster of high-severity vulnerabilities in versions prior to 3.1.0, including multiple paths to remote code execution. The most serious issues affect the platform's CSV and Airtable agent components, where unsanitized user input or LLM-generated Python code could be evaluated without proper sandboxing. Advisories for CVE-2026-41137, CVE-2026-41264, CVE-2026-41138, and CVE-2026-41265 describe authenticated and unauthenticated attack paths that let attackers inject malicious payloads through chatflows or agent inputs and execute code on the Flowise server, with potential impact to confidentiality, integrity, and availability.
Flowise 3.1.0 also addresses non-RCE flaws that could expose multi-tenant environments and consume third-party service credits. CVE-2026-41279 affects the unauthenticated text-to-speech endpoint at POST /api/v1/text-to-speech/generate, which could accept an arbitrary credentialId and use decrypted stored credentials such as OpenAI or ElevenLabs API keys to generate speech, enabling API credit abuse. In Flowise Cloud, CVE-2026-41267 allows improper mass assignment during account registration, letting unauthenticated attackers inject server-managed fields and manipulate organization associations, ownership metadata, timestamps, and role mappings across tenants. Organizations running Flowise or Flowise Cloud should upgrade to 3.1.0 and review exposed chatflows, stored credentials, and tenant registration controls.
Timeline
Apr 23, 2026
CVE records are received or updated with scoring and references
On April 23, 2026, CVE records were received or updated to add descriptions, CVSS vectors, CWE mappings, and GitHub advisory references. The content explicitly notes update activity for CVE-2026-41137 and CVE-2026-41265 on that date.
Apr 23, 2026
Multiple Flowise CVEs and GitHub advisories are published
Several vulnerabilities affecting Flowise and Flowise Cloud were publicly disclosed, including CVE-2026-41137, CVE-2026-41138, CVE-2026-41264, CVE-2026-41265, CVE-2026-41267, and CVE-2026-41279. The disclosures documented authenticated and unauthenticated RCE paths, tenant-association manipulation, and API credit abuse via stored credentials.
Apr 23, 2026
Flowise releases version 3.1.0 with fixes for multiple vulnerabilities
Flowise fixed several security flaws in version 3.1.0, including CSVAgent and Airtable agent remote code execution issues, an unauthenticated text-to-speech credential abuse flaw, and a Flowise Cloud account registration mass-assignment issue. All referenced advisories describe affected versions as prior to 3.1.0.
Feb 26, 2026
ZDI reports Flowise Airtable agent RCE to vendor
Trend Micro's Zero Day Initiative reported CVE-2026-41265, an unauthenticated remote code execution flaw in Flowise's Airtable_Agent component, to the vendor through coordinated disclosure. The issue allowed arbitrary Python code execution via improper validation in the run method and was credited to Dre Cura and Nicholas Zubrisky.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
3 more from sources like cvefeed high severity and zdi published advisories
Related Stories
Active Exploitation of Flowise CustomMCP RCE Exposes Thousands of Internet-Facing Instances
Threat actors are actively exploiting **CVE-2025-59528**, a **CVSS 10.0** remote code execution flaw in the open-source AI platform **Flowise**. The bug affects Flowise versions through **3.0.5** and stems from the `CustomMCP` node unsafely passing user-controlled input into JavaScript execution, allowing attackers with an API token to run arbitrary code with full **Node.js** runtime privileges. Researchers said the issue can be triggered remotely via a crafted HTTP `POST` request without user interaction, leading to operating system command execution, filesystem access, sensitive data theft, and full system compromise. Security researchers observed in-the-wild exploitation originating from a single **Starlink IP address**, while warning that roughly **12,000 to 15,000** internet-exposed Flowise instances sharply expand the attack surface for opportunistic attacks. Flowise disclosed the vulnerability in 2025, credited researcher **Kim SooHyun**, and patched the flaw in **version 3.0.6**. The incident marks the third Flowise vulnerability reported as exploited in the wild after **CVE-2025-8943** and **CVE-2025-26319**, increasing pressure on organizations to upgrade immediately and limit public exposure of Flowise APIs.
1 weeks ago
Critical Flowise RCE Vulnerability CVE-2025-61913 Enables Arbitrary File Read and Write
A critical remote code execution vulnerability, tracked as CVE-2025-61913, has been identified in Flowise, a drag-and-drop user interface for building customized large language model flows. The flaw exists in versions prior to 3.0.8 and is caused by insufficient restrictions in the WriteFileTool and ReadFileTool components, which fail to properly validate file path access. This oversight allows authenticated attackers to read and write arbitrary files to any location on the file system, significantly increasing the risk of remote code execution. The vulnerability has been assigned a CVSS score of 10.0, indicating its maximum severity and potential for exploitation. According to security advisories, the issue can be exploited remotely, making it a high-priority concern for organizations using affected versions of Flowise. The vulnerability was publicly disclosed on October 8, 2025, and a security update was released in version 3.0.8 to address the issue. Attackers leveraging this flaw could gain unauthorized access to sensitive files, modify system configurations, or deploy malicious payloads, potentially leading to full system compromise. The vulnerability affects all installations of Flowise prior to the patched version, though the exact list of affected products and vendors has not been fully enumerated. Security researchers emphasize the critical nature of the flaw due to the ease of exploitation and the broad impact on confidentiality, integrity, and availability. Organizations are strongly advised to upgrade to Flowise version 3.0.8 or later to mitigate the risk. The vulnerability was reported through GitHub security advisories, highlighting the importance of monitoring open-source project disclosures. No evidence of active exploitation in the wild has been reported as of the disclosure date, but the public availability of technical details increases the urgency for remediation. The flaw underscores the risks associated with insufficient input validation in file handling components of web applications. Security teams should review their deployment of Flowise and apply the necessary patches without delay. In addition to patching, organizations should audit access logs for signs of suspicious file operations that could indicate attempted exploitation. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability assessments in software development.
1 months ago
Critical MLflow Vulnerabilities Enable Authentication Bypass and RCE
**MLflow** disclosed and patched multiple high-severity vulnerabilities affecting deployments of the MLflow platform, including an **authentication bypass due to default credentials** in `basic_auth.ini` tracked as **CVE-2026-2635** (ZDI-26-111). The issue allows **unauthenticated remote attackers** to bypass authentication and potentially **execute arbitrary code with administrator context**; ZDI scored it **CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)** and credited the finding to **Peter Girnus (@gothburz)** via Trend Micro’s **Zero Day Initiative (ZDI)**. A separate MLflow Tracking Server flaw, **CVE-2026-2033**, enables **directory traversal leading to remote code execution** via improper validation of user-supplied artifact file paths in the artifact handler. Exploitation requires no authentication and can result in code execution in the context of the MLflow service account. Both issues reference the same upstream remediation in MLflow (`https://github.com/mlflow/mlflow/pull/19260`) and were published through ZDI advisories (including **ZDI-26-111** for CVE-2026-2635 and **ZDI-26-105** for CVE-2026-2033), indicating coordinated fixes are available and should be prioritized for exposed MLflow instances.
1 months ago