Description
This vulnerability allows remote attackers to execute arbitrary code on affected installations of FlowiseAI Flowise. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script. An attacker can leverage this vulnerability to execute code in the context of the user running the server.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/flowise_auth_rce_cve_2026_41264msf undefined(flowise_auth_rce_cve_2026_41264) > show actions ...actions...msf undefined(flowise_auth_rce_cve_2026_41264) > set ACTION < action-name >msf undefined(flowise_auth_rce_cve_2026_41264) > show options ...show and set options...msf undefined(flowise_auth_rce_cve_2026_41264) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub