Flowise 3.0.13 Post-Patch Advisory Wave: Airtable_Agent Pyodide Sandbox Escape and Unauthenticated TTS Credential Abuse

At a glance

• The issue: Two separate flaws in FlowiseAI's low-code LLM platform: (1) anyone on the network can drain your stored OpenAI / ElevenLabs / Azure / Google text-to-speech credits, and (2) attackers can break out of the Airtable Agent's Python sandbox and run code on the Flowise server.
• Who's affected: Any FlowiseAI deployment running flowise <= 3.0.13.
• What to do now: Upgrade to flowise 3.1.0. The same release closes both issues.

Executive Summary

Two distinct vulnerabilities disclosed on 2026-04-17 and 2026-04-18 against FlowiseAI's low-code LLM orchestration platform, flowise <= 3.0.13 on npm, expose different populations: (a) unauthenticated network-reachable attackers can abuse stored third-party TTS credentials (OpenAI, ElevenLabs, Azure, Google) via an auth-whitelisted endpoint that accepts arbitrary credential IDs (GHSA-5fw2-mwhh-9947 / CVE-2026-41279), and (b) attackers ranging from unauthenticated (via prompt injection on a public chatflow) to authenticated (via a malicious LLM endpoint or attacker-controlled Airtable table) can escape the Airtable Agent's Pyodide sandbox via Python import-aliasing (GHSA-v38x-c887-992f / CVE-2026-41265). Both are fixed in flowise 3.1.0, published to npm on 2026-03-16 (npm registry). GitHub scores the TTS issue as CVSS 4.0 8.2 High with CWE-639; GitHub scores the Airtable issue as CVSS 4.0 9.2 Critical with CWE-77 and CWE-184, while its CVSS 3.1 score is 9.8 Critical. Both records gained CVE IDs after the original 2026-04-20 validation pass, with NVD publication timestamps on 2026-04-23. This is the second advisory cluster in the 3.0.x line, RAXE's previous Flowise coverage documented a six-vulnerability cluster on the same release train.

Risk Rating

Affected Products

Am I affected?

• Check installation: run npm list flowise or inspect package.json / Dockerfile for the pinned version. flowise <= 3.0.13 is affected by both advisories; flowise-components <= 3.0.13 is affected by the Airtable Agent advisory.
• Check exposure, TTS: any Flowise deployment reachable from untrusted networks is exposed to the TTS credential abuse regardless of whether TTS features are consciously used, the endpoint is whitelisted and requires only knowledge of a valid credentialId (GHSA-5fw2-mwhh-9947).
• Check exposure, Airtable: deployments hosting a chatflow that contains an Airtable Agent node are exposed to the sandbox escape. Prompt injection on a public chatflow is sufficient; authentication is not required (GHSA-v38x-c887-992f).

Abstract

On 2026-04-17 and 2026-04-18, FlowiseAI published two independent security advisories against the same flowise <= 3.0.13 release line. GHSA-5fw2-mwhh-9947 / CVE-2026-41279 documents an unauthenticated endpoint at POST /api/v1/text-to-speech/generate that accepts a credentialId from the request body and invokes the corresponding stored TTS credential without verifying caller identity or credential ownership; affected TTS providers include OpenAI, ElevenLabs, Azure, and Google (GHSA-5fw2-mwhh-9947). GHSA-v38x-c887-992f / CVE-2026-41265 documents a sandbox escape in the Airtable Agent node: Python code is executed via pyodide.runPythonAsync after passing a regex-based import allowlist (validatePythonCodeForDataFrame), which fails against the aliasing pattern import pandas as np, os as pandas (GHSA-v38x-c887-992f). Both issues were fixed in flowise 3.1.0, published to npm on 2026-03-16 (npm registry). The original 2026-04-20 RAXE validation found no CVE IDs; the GitHub advisory records now list CVE-2026-41279 and CVE-2026-41265, each with nvd_published_at on 2026-04-23.

Key Findings

1. The TTS endpoint is unauthenticated by design in affected versions. POST /api/v1/text-to-speech/generate is on Flowise's WHITELIST_URLS; the handler at packages/server/src/controllers/text-to-speech/index.ts (lines 58-64) reads credentialId from the request body and uses it without any ownership or authentication check (GHSA-5fw2-mwhh-9947).
2. The Airtable sandbox was regex-gated, not semantically gated. The validatePythonCodeForDataFrame allowlist compares against the name of the module being imported, not the alias used to bind it, so import <mod> as <alias>, <disallowed> as <mod> aliases the disallowed module into the same symbol the regex already approved (GHSA-v38x-c887-992f).
3. Three source-described methods reach the sandbox primitive. Prompt injection on a public chatflow (no auth required), authenticated chatflow creation with an attacker-operated LLM endpoint, and authenticated chatflow creation that points to an attacker-controlled Airtable table whose column names contain prompt injection. All terminate at pyodide.runPythonAsync executing attacker-chosen Python in the Flowise server process (GHSA-v38x-c887-992f).
4. Fix strategies differ between the two issues. The Airtable fix in 3.1.0 is characterised as "disallowing imports outright", a blanket restriction rather than a regex improvement. The TTS fix's mechanism is not detailed in the public advisory beyond the version landing (GHSA-v38x-c887-992f; GHSA-5fw2-mwhh-9947).
5. CVE status changed after the first validation pass. The GitHub Advisory API returned no CVE identifiers when this draft was first built on 2026-04-20; as of the 2026-04-27 re-validation, GHSA-5fw2-mwhh-9947 maps to CVE-2026-41279 and GHSA-v38x-c887-992f maps to CVE-2026-41265, with NVD publication timestamps on 2026-04-23 (GitHub Advisory API).

Attack Flow

Vulnerable: flowise <= 3.0.13 (+ flowise-components)

Path 1 — TTS credential abuse (unauthenticated)
  Attacker → POST /api/v1/text-to-speech/generate
             body { credentialId: <known>, text: <attacker text> }
  Flowise  → look up credential, call OpenAI/ElevenLabs/Azure/Google
  Victim   → API credits consumed on their account

Path 2 — Airtable sandbox escape (three sub-paths)
  2a Prompt injection (no auth):
     Attacker → public chatflow with Airtable Agent
                prompt crafted so LLM emits: import pandas as np, <disallowed> as pandas
     Flowise  → validatePythonCodeForDataFrame regex passes
                pyodide.runPythonAsync executes it
     Outcome  → attacker Python runs in Flowise server process

  2b Authenticated chatflow:
     Attacker → create chatflow; LLM endpoint = attacker-controlled
                returns the aliased-import payload on every call
     [same terminal as 2a]

  2c Attacker-controlled Airtable table:
     Authenticated attacker → create chatflow pointing the Airtable Agent
                at an attacker-controlled Airtable table whose column names
                contain prompt injection
     LLM      → reads column names into context, emits Python using them
     [same terminal as 2a]

Technical Details

GHSA-5fw2-mwhh-9947, Unauthenticated TTS credential abuse

The vulnerable endpoint is POST /api/v1/text-to-speech/generate, handled at packages/server/src/controllers/text-to-speech/index.ts lines 58-64 (GHSA-5fw2-mwhh-9947). Flowise's authentication middleware maintains a WHITELIST_URLS set, requests to paths in that set skip authentication entirely. The TTS endpoint is a member of that set in affected versions (GHSA-5fw2-mwhh-9947).

The handler reads a credentialId string from the request body and passes it to the stored-credential lookup. The lookup resolves a configured third-party TTS provider credential, the advisory names OpenAI, ElevenLabs, Azure, and Google, and uses it to invoke that provider's synthesis API. Audio output is returned in the response. No authentication check, no ownership check, and no rate limit is performed against the caller (GHSA-5fw2-mwhh-9947).

Attacker prerequisite: knowledge of a valid credentialId. The advisory notes these are not enumerable by brute force, they are UUIDs, but references "Finding 2" as a companion credential-ID leak that makes exploitation "trivial" (GHSA-5fw2-mwhh-9947). RAXE could not identify the companion advisory inline as of 2026-04-20; the TTS exposure may or may not require chaining with another bug depending on whether an organisation's credentialId values have leaked through logs, support tickets, or the referenced companion issue.

CVSS 4.0: 8.2 High, AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (GHSA-5fw2-mwhh-9947). CWE: CWE-639 Authorization Bypass Through User-Controlled Key, the endpoint accepts a client-supplied credentialId and uses it to invoke the associated credential without an ownership check (GHSA-5fw2-mwhh-9947). The Availability-only impact rating reflects that the attack consumes the victim's API credits but does not read or modify server-side data.

GHSA-v38x-c887-992f, Airtable Agent Pyodide sandbox escape

The Airtable Agent node at packages/components/nodes/agents/AirtableAgent/AirtableAgent.ts executes LLM-generated Python via pyodide.runPythonAsync(code). Before execution, validatePythonCodeForDataFrame() scans the code with a regex and rejects code that imports certain disallowed modules (GHSA-v38x-c887-992f).

The disclosed bypass is import aliasing:

import pandas as np, os as pandas

The regex looks at the first token on each side of each as, it sees pandas twice and passes the statement. Post-import, within the Pyodide context, the Python code has pandas rebound to the disallowed module's namespace (GHSA-v38x-c887-992f). pyodide.runPythonAsync then executes the rest of the LLM-emitted code, which can invoke any of the rebound module's attributes. The advisory does not publish downstream payloads; this publication does not expand beyond that.

CVSS 4.0: 9.2 Critical, AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GHSA-v38x-c887-992f). CWE: CWE-184 Incomplete List of Disallowed Inputs, precisely the class that a regex-based import allowlist belongs to (GHSA-v38x-c887-992f).

Three exploitation methods, see "Attack Flow" above. Only path 2a requires no authentication; paths 2b and 2c require an authenticated attacker position that can create or configure a chatflow.

Patch approach: 3.1.0 "disallows imports outright" inside the Pyodide sandbox rather than attempting to improve the regex (GHSA-v38x-c887-992f). RAXE regards this as the correct fix class, allowlisting via regex against import syntax is a known-fragile pattern; blanket denial within the sandbox context removes the attack class entirely (RAXE assessment).

Fix provenance

flowise@3.1.0 published on npm at 2026-03-16T14:47:16.783Z; the last pre-patch release 3.0.13 published at 2026-02-03T14:06:55.481Z (npm registry, queried 2026-04-20). The flowise-components package shares the same 3.1.0 landing date. Both advisories were published approximately 32 days after the fix was on npm (GHSA-v38x-c887-992f publish 2026-04-18, GHSA-5fw2-mwhh-9947 publish 2026-04-17), a typical coordinated-disclosure window for GitHub Security Advisories.

Confidence & Validation

Assessment Confidence: High

Detection Signatures

Full Sigma rules published in the finding directory as detection/flowise-post-patch-cluster.yml:

• Flowise TTS Endpoint Unauthenticated Credential Abuse, matches unauthenticated POST /api/v1/text-to-speech/generate carrying a credentialId body field.
• Flowise TTS Endpoint, Repeated credentialId From Single Source, correlation rule for sustained-abuse patterns (>10 requests to the same credentialId in 60 seconds from one IP).
• Flowise Airtable Agent Python Import Aliasing, behavioural precursor matching the documented aliased-import shape in LLM-emitted Python routed through the Airtable Agent.
• Flowise Node.js Unexpected Subprocess Spawn, host-telemetry post-exploit signal. On affected versions, a sandbox escape is the most likely cause of unusual subprocesses from the Flowise Node process.

Detection & Mitigation

Priority 1, patch. Upgrade flowise and flowise-components to 3.1.0 or later. Inspect production package.json pinning and Docker image tags.

Priority 2, scope the TTS exposure. If upgrade is delayed, require authentication in front of the Flowise deployment at the reverse-proxy / ingress layer, the TTS endpoint cannot be unscoped from the application's own whitelist pre-patch.

Priority 3, disable Airtable Agent chatflows temporarily. Until patched, remove or disable any chatflow containing an Airtable Agent node, particularly public-facing chatflows. Prompt injection paths against public chatflows are the most accessible attack class.

Priority 4, rotate stored credentials. On any pre-patch deployment that was network-reachable, rotate the OpenAI, ElevenLabs, Azure, and Google credentials stored in the Flowise credential store. Credential-ID discovery via the referenced companion issue means the specific exploitation prerequisites may have been already satisfied in the wild.

Priority 5, deploy the Sigma content referenced above to WAF, reverse-proxy log processing, or Flowise request-log analysis.

Indicators of Compromise

No file-hash or network-indicator IoCs are available; the attack primitives are structural (RAXE assessment).

Strategic Context

This is the second documented advisory cluster on the Flowise 3.0.x line, prior RAXE research documented a six-vulnerability cluster including authentication bypass, IDOR, mass assignment, SSRF, and file upload flaws, across the same release train. Two distinct coordinated-disclosure waves in approximately 35 days against the same upstream project is a signal, not proof, that the platform's security posture has been under-invested relative to its adoption rate (RAXE assessment).

The two vulnerabilities in this cluster illustrate two recurrent failure modes in agentic-platform security:

• The "whitelisted endpoint" pattern (GHSA-5fw2-mwhh-9947), an endpoint that the application has chosen to exempt from authentication because of a legitimate public-use case, but that can be driven with attacker-supplied parameters to consume privileged resources. Analogous issues have surfaced against other agentic platforms over 2026 where an auth-bypassed endpoint accepts an ID or token and dispatches privileged operations on the caller's behalf.
• The "regex-gated sandbox" pattern (GHSA-v38x-c887-992f), a code-execution sandbox that attempts to restrict the surface by filtering input syntax. Import aliasing, eval-adjacent evaluation, and string-level obfuscation are common bypasses. Blanket restriction within the sandbox context (as 3.1.0 implements) is the robust mitigation; per-construct filtering has a repeating failure record (RAXE assessment).

For enterprise defenders, the inventory implication is that Flowise has joined the list of agentic platforms that need dedicated version-pinning discipline, treat the 3.0.x line as end-of-life for security purposes, not as a patch-as-you-go stream (RAXE assessment).

References

1. GHSA-v38x-c887-992f, Flowise Airtable_Agent code injection RCE, https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-v38x-c887-992f (accessed 2026-04-20; published 2026-04-18).
2. GHSA-5fw2-mwhh-9947, Flowise unauthenticated TTS endpoint credential abuse, https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-5fw2-mwhh-9947 (accessed 2026-04-20; published 2026-04-17).
3. NVD, CVE-2026-41265, https://nvd.nist.gov/vuln/detail/CVE-2026-41265 (accessed 2026-04-27; NVD-published 2026-04-23).
4. NVD, CVE-2026-41279, https://nvd.nist.gov/vuln/detail/CVE-2026-41279 (accessed 2026-04-27; NVD-published 2026-04-23).
5. npm registry, flowise 3.1.0 manifest, https://registry.npmjs.org/flowise/3.1.0 (publish time 2026-03-16T14:47:16.783Z, verified 2026-04-20).