Flowise CSV Agent Pyodide Sandbox Escape, Third Advisory in the 3.0.13 Wave (CVE-2026-41264)

At a glance

• The issue: A third Flowise vulnerability — same Python import-aliasing trick as the Airtable Agent — lets an attacker escape the CSV Agent's sandbox and run code on the Flowise server, just by sending a crafted prompt.
• Who's affected: Any Flowise deployment running flowise <= 3.0.13 with a CSV Agent node configured in any chatflow.
• What to do now: Upgrade to flowise 3.1.0 (the same fix release that closes the Airtable and text-to-speech issues).

Executive Summary

A third advisory against FlowiseAI's flowise <= 3.0.13 release line was published on 2026-04-21, GHSA-3hjv-c53m-58jj / CVE-2026-41264, a prompt-injection-to-remote-code-execution vulnerability in the CSV Agent chatflow node (GHSA-3hjv-c53m-58jj). The attack mechanism, the bypass shape, and the patched version match the Airtable Agent sibling advisory previously covered in the earlier RAXE Flowise cluster publication; the inference that the two nodes share a single validator code path (pythonCodeValidator.ts) is a RAXE reading of the advisory language, not a vendor-confirmed source-tree fact. An LLM-emitted Python block uses multi-import aliasing (import pandas as np, os as pandas) to slip a disallowed module past the regex allowlist, then executes via pyodide.runPythonAsync inside the Flowise server process (GHSA-3hjv-c53m-58jj). NVD now publishes CVE-2026-41264 with a CVSS 3.1 Primary score of 9.8 CRITICAL, while the GitHub CNA's CVSS 4.0 Secondary score remains 9.2 CRITICAL; the weakness mapping is CWE-184 Incomplete List of Disallowed Inputs (NVD; GHSA-3hjv-c53m-58jj). Fixed in flowise 3.1.0 (npm publish timestamp 2026-03-16T14:47:16.783Z); the same release closes the Airtable and TTS advisories in the earlier RAXE Flowise cluster publication (GHSA-3hjv-c53m-58jj; npm registry).

Risk Rating

CVSS Divergence Note

CVE-2026-41264 now carries two published scores:

• NVD CVSS 3.1 Primary: 9.8 CRITICAL, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• GitHub CNA CVSS 4.0 Secondary: 9.2 CRITICAL, vector AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

These are not directly comparable because they use different CVSS versions. The NVD Primary score is the headline severity per RAXE publication convention; the CNA CVSS 4.0 vector captures the additional attack-complexity and attack-requirements nuance (AC:H, AT:P) that tempers practical exploitability in real deployments.

Affected Products

Am I affected?

• Check installation: run npm list flowise or inspect package.json / Dockerfile for the pinned version. Any version <= 3.0.13 is affected.
• Check chatflow configuration: inspect each published chatflow for a CSV Agent node. Network-reachable chatflows with a CSV Agent node are exposed to the unauthenticated prompt-injection exploitation path.
• Check prior mitigation coverage: if the response to the earlier RAXE Flowise cluster publication was to remove Airtable Agent nodes from chatflows without upgrading the platform, CSV Agent nodes remain exposed and must be addressed separately.

Abstract

CVE-2026-41264 is a prompt-injection-to-remote-code-execution vulnerability in the CSV Agent chatflow node of FlowiseAI Flowise versions <= 3.0.13, disclosed on 2026-04-21 as GHSA-3hjv-c53m-58jj (GHSA-3hjv-c53m-58jj). The CSV Agent's run() method in packages/components/nodes/agents/CSVAgent/CSVAgent.ts executes LLM-generated Python via pyodide.runPythonAsync. Before execution, the code passes through a shared regex-based validator at packages/components/src/pythonCodeValidator.ts, which is intended to allow only import pandas and import numpy. The regex fails against Python's multi-import aliasing grammar: the statement import pandas as np, os as pandas imports the disallowed os module and binds it to the symbol pandas, satisfying the validator while making the disallowed namespace available to subsequent code (GHSA-3hjv-c53m-58jj). The research team, the bypass shape, the shared validator code path, and the patched release are identical to the Airtable Agent sibling advisory (GHSA-v38x-c887-992f), reported by the same researchers (Dre Cura and Nicholas Zubrisky of TrendAI Research via ZDI) and covered in the earlier RAXE Flowise cluster publication. Both advisories are fixed in flowise 3.1.0, published to npm on 2026-03-16T14:47:16.783Z (npm registry, verified 2026-04-23).

Key Findings

1. Shared validator, per-node exposure (RAXE inference from advisory language; not source-tree confirmed). The vulnerable regex is attributed by the advisory to pythonCodeValidator.ts, the same file named in the sibling Airtable Agent advisory. RAXE's reading of the two advisories' consistent wording ("The issue results from the lack of proper sandboxing" plus the identical fix description "disallowing all imports") is that both nodes reach the same validation shim. This is an inference, not a vendor-confirmed source-tree fact. If the validator was actually duplicated per-node, patching one node would not cure the sandbox, and further sibling advisories remain structurally plausible; the fix in flowise 3.1.0 is described as global (GHSA-3hjv-c53m-58jj).
2. Unauthenticated exploitation via public chatflow. Flowise chatflows are commonly exposed without authentication for demo or public-use purposes. Any such chatflow containing a CSV Agent node lets an attacker reach the sandbox via prompt injection; no credentials, no network pivot, no supply-chain compromise is required (GHSA-3hjv-c53m-58jj).
3. Three advisories within a five-day window against one release line. GHSA-5fw2-mwhh-9947 (TTS credential abuse, 2026-04-17, covered in the earlier RAXE Flowise cluster publication), GHSA-v38x-c887-992f (Airtable Agent, 2026-04-18, covered in the earlier RAXE Flowise cluster publication), and this advisory (CSV Agent, 2026-04-21), a four-day span between the first and last, all target flowise <= 3.0.13. The TTS disclosure came from Shinobi Security; the Airtable and CSV Agent disclosures are both TrendAI Research via ZDI. This velocity is evidence that systematic coverage of the Pyodide-sandbox surface is in progress (RAXE assessment).
4. CWE-184 is the correct class. GitHub's Advisory API populates the cwes field with CWE-184, Incomplete List of Disallowed Inputs, which precisely describes a regex allowlist that enumerates banned imports without anticipating aliasing. This is the same class assigned to GHSA-v38x-c887-992f (GitHub Advisory API, verified 2026-04-23).

Attack Flow

Vulnerable: flowise <= 3.0.13 with a CSV Agent node in an accessible chatflow

Path 1 — Prompt injection (no auth required)
  Attacker → POST /api/v1/prediction/<chatflow-id>
             body { question: <prompt crafted to elicit aliased-import Python> }
  LLM      → emits Python containing:
               import pandas as np, os as pandas
               pandas.<attacker-chosen call>
  Flowise  → pythonCodeValidator.ts regex scans, sees 'pandas' twice, passes
  Flowise  → pyodide.runPythonAsync(code) executes
  Outcome  → attacker code runs in the Flowise Node.js server process

Path 2 — Authenticated chatflow creation / attacker-operated LLM endpoint
  Attacker → authenticates, creates chatflow pointing LLM at attacker-operated
             endpoint that always returns the poisoned Python
  [terminal is the same Python execution as Path 1]

PoC mode note:
  The advisory PoC describes server, chatflow, and prompt_injection modes.
  The server mode is a support component for Path 2, not a separate
  exploitation path.

Technical Details

Vulnerability mechanics

The CSV Agent node (packages/components/nodes/agents/CSVAgent/CSVAgent.ts, CSV_Agents.run() method) processes a user prompt together with a CSV input, forwards the combination to the configured LLM, and expects the LLM's response to include Python code that manipulates the CSV as a pandas DataFrame. The code is then routed through packages/components/src/pythonCodeValidator.ts and, if validated, passed to pyodide.runPythonAsync(code) for execution (GHSA-3hjv-c53m-58jj).

The validator applies a FORBIDDEN_PATTERNS set. The core allowlist regex is /\bimport\s+(?!pandas|numpy\b)/g: strip any import statement whose module name is not pandas or numpy. The regex evaluates token-by-token against the word immediately following import, it does not parse Python's full import grammar. Python's multi-import syntax (import a, b, c and import a as x, b as y) places multiple import clauses in one statement, each with its own optional alias, separated by commas (Python reference grammar).

The advisory's cited bypass (GHSA-3hjv-c53m-58jj):

import pandas as np, os as pandas
pandas.system("xcalc")

The regex scans: import appears once, the next token is pandas, and the rest of the line contains the substring pandas again; the pattern (?!pandas|numpy\b) does not fire and the statement is accepted. Inside the Pyodide runtime, the resolved state is: np is bound to the real pandas module, and pandas is rebound to the os module's namespace. Subsequent calls on pandas.<anything> dispatch against the os module.

The demonstrator call pandas.system("xcalc") proves reach, the advisory does not publish a weaponised payload; neither does this publication.

Shared code path with GHSA-v38x-c887-992f

The Airtable Agent advisory (GHSA-v38x-c887-992f, the earlier RAXE Flowise cluster publication) describes the same regex in the same validator file, and the same bypass shape. The structural claim of this publication, that patching one node does not cure the sandbox, rests on the advisories' concurrent citation of a single shared pythonCodeValidator.ts plus the identical fix description ("disallowing all imports") in both records (RAXE assessment, based on the advisory language; RAXE has not audited the Flowise source tree directly).

CVSS and severity

Vector notes: the CNA CVSS 4.0 vector is identical in shape to the Airtable sibling, AC:H reflects the need to shape the LLM's output to carry the payload, and AT:P reflects the present-but-conditional dependency on a chatflow containing a CSV Agent node. NVD's CVSS 3.1 Primary now publishes the higher-severity 9.8 reading.

Fix provenance

flowise@3.1.0 published on npm at 2026-03-16T14:47:16.783Z with tarball shasum d42f4f1777ab72b5cecd6c84b3a292f49cb70ade (npm registry, queried 2026-04-23). The same manifest closes GHSA-v38x-c887-992f and GHSA-5fw2-mwhh-9947.

Confidence & Validation

Assessment Confidence: High

Detection Signatures

Full Sigma rules published alongside this advisory as detection/flowise-csv-agent-sandbox-escape.yml:

• Flowise CSV Agent Python Import Aliasing, application-layer rule matching the aliased-import shape in Python code routed through the CSV Agent path. High-fidelity pre-exploit signal on affected versions; log-only telemetry post-patch.
• Flowise Prediction Endpoint Unauthenticated POST Burst, correlation-seed rule at the web layer. Broad by design; consume only paired with the CSV Agent import rule or the subprocess-spawn post-exploit rule shipped with the earlier RAXE Flowise cluster publication.
• Subprocess-spawn post-exploit signal, covered by Flowise Node.js Unexpected Subprocess Spawn in the the earlier RAXE Flowise cluster publication detection file; applies here unchanged.

Detection & Mitigation

Priority 1, patch. Upgrade flowise and flowise-components to 3.1.0 or later. This is the same action already recommended by the earlier RAXE Flowise cluster publication; running it once closes all three advisories in the wave.

Priority 2, close gap in per-chatflow mitigations. If the response to the earlier RAXE Flowise cluster publication was to disable chatflows that contained the Airtable Agent node while deferring the platform upgrade, CSV Agent nodes must now be disabled by the same mechanism until the upgrade lands.

Priority 3, externally-authenticate the Flowise instance. Place Flowise behind an upstream auth layer (reverse proxy with SSO) so that the unauthenticated prompt-injection path to the CSV Agent is not network-reachable. This is defence-in-depth and does not substitute for the patch.

Priority 4, deploy the Sigma content referenced above, pairing the CSV Agent import rule with the post-exploit subprocess-spawn rule from the earlier RAXE Flowise cluster publication.

Indicators of Compromise

No file-hash or network-indicator IoCs are available; the attack primitive is structural (RAXE assessment).

Strategic Context

This is the third advisory RAXE has covered against the flowise 3.0.x release line in under six months, and the second in the April 2026 TrendAI-ZDI wave alone. The strategic picture has not changed from what the earlier RAXE Flowise cluster publication named it: regex-gated sandboxes against LLM-emitted code are a fragile class, and the same validator surface will continue to produce advisories until the sandbox strategy is replaced (or until every Python-emitting agent node is individually wrapped in a heavier mitigation).

Two concrete patterns worth naming for forward-looking work:

1. Shared-validator multi-node exposures. When a single validation shim is called from multiple attacker-reachable entry points, one bypass discovery usually implies a coordinated-disclosure wave across every entry point. Inventory-grade tracking of this class requires ingesting every sibling advisory quickly, not just the first.
2. Python's multi-import grammar as a defensive blind spot. The regex in pythonCodeValidator.ts is a clean illustration: it reasons about import X but not about import X as A, Y as B. The same blind spot exists in any regex-gated JavaScript require() allowlist, in TOML import-key parsers that don't understand table syntax, and in other "simple prefix allowlist" patterns across the agentic platform ecosystem (RAXE assessment).

For enterprise defenders, the practical upshot is unchanged: treat flowise 3.0.x as a release line that needs retirement rather than incremental patching, and verify your SBOM tooling is catching the full 3.0.x range across the Flowise advisories covered in this publication sequence, not one record at a time.

References

1. GHSA-3hjv-c53m-58jj, Flowise CSV Agent Prompt Injection RCE, https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-3hjv-c53m-58jj (accessed 2026-04-23; published 2026-04-21).
2. NVD, CVE-2026-41264, https://nvd.nist.gov/vuln/detail/CVE-2026-41264 (accessed 2026-04-26; NVD-published 2026-04-23, lastModified 2026-04-24; vulnStatus Analyzed; CVSS 3.1 Primary 9.8 CRITICAL on vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CWE-184 Secondary from the GitHub CNA in the NVD record).
3. npm registry, flowise 3.1.0 manifest, https://registry.npmjs.org/flowise/3.1.0 (publish time 2026-03-16T14:47:16.783Z, shasum d42f4f1777ab72b5cecd6c84b3a292f49cb70ade, verified 2026-04-23).