Flowise RCE Vulnerability CVE-2026-41265 Carries CVSS 9.8

Executive Summary

A critical remote code execution vulnerability, tracked as CVE-2026-41265, has been disclosed in Flowise, the open-source low-code platform for building LLM applications. The flaw resides in the Airtable_Agent component and carries a CVSS score of 9.8, according to a Zero Day Initiative (ZDI) advisory published today. Exploitation requires no authentication and can be carried out remotely, putting all default Flowise installations at immediate risk of full compromise.

Technical Analysis

The vulnerability is a code injection flaw in Flowise's Airtable_Agent, a node that integrates Airtable data into AI workflows. According to ZDI-26-307, the issue stems from insufficient validation of user-supplied input passed to the agent. An attacker can send a specially crafted request to the Flowise API endpoint handling Airtable_Agent operations, causing the server to execute arbitrary code in the context of the application process.

ZDI's advisory notes that the attack surface is broadened by the fact that Flowise, by default, exposes its API without requiring authentication. This means any network-reachable Flowise instance — whether deployed on-premises, in a cloud VM, or as part of a containerized environment — is vulnerable to exploitation. The CVSS 9.8 rating reflects the combination of network attack vector, low attack complexity, no privileges required, and no user interaction.

Flowise is widely used by developers and organizations to rapidly prototype and deploy AI agents, chatbots, and data pipelines. The Airtable_Agent is a popular node for connecting language models to structured data in Airtable bases. The code injection vector likely involves the agent's internal query builder or data transformation functions that fail to sanitize inputs before passing them to an interpreter or shell.

ZDI has not published a proof-of-concept exploit at this time, but the technical details in the advisory are sufficient for skilled attackers to develop one. The vulnerability affects all versions of Flowise prior to the patch that addresses CVE-2026-41265.

Mitigations & Recommendations

Defenders should immediately identify all Flowise instances in their environment and apply the vendor's patched version as soon as it becomes available. Flowise maintainers have not yet released a public advisory or patch version as of this writing. Until a fix is deployed, organizations should isolate Flowise servers from untrusted networks, restrict API access to authenticated users via a reverse proxy or firewall rules, and monitor for anomalous API calls targeting Airtable_Agent endpoints.

Given the CVSS 9.8 severity and the lack of authentication required, any Flowise instance exposed to the internet should be considered compromised until proven otherwise. Network segmentation and strict ingress controls are the most effective temporary mitigations.