Critical Code Injection Flaw in FlowiseAI Airtable_Agent Allows Unauthenticated RCE
A critical unauthenticated code injection vulnerability in FlowiseAI's Airtable_Agent component, tracked as CVE-2026-41265, allows remote attackers to execute arbitrary Python code with a CVSS score of 9.8.
A critical vulnerability has been disclosed in FlowiseAI Flowise, a popular open-source platform for building AI workflows and agents. The flaw, assigned CVE-2026-41265 and reported through Trend Micro's Zero Day Initiative (ZDI-26-307), resides in the `run` method of the Airtable_Agent class. It allows unauthenticated remote attackers to execute arbitrary Python code on affected installations, leading to full compromise of the service account.
The vulnerability stems from improper validation of user-supplied strings before they are used in Python code execution. Specifically, the Airtable_Agent component fails to sanitize input, enabling an attacker to inject malicious Python code that is then executed by the application. With a CVSS score of 9.8 (Critical), the flaw requires no authentication and no user interaction, making it trivially exploitable over the network.
FlowiseAI Flowise is widely used by developers and enterprises to create custom AI agents, chatbots, and automation pipelines. The Airtable_Agent is a built-in tool that integrates with Airtable databases, and its widespread use in production environments means the vulnerability could expose sensitive data and internal systems. Organizations running Flowise with the Airtable_Agent enabled are at immediate risk of remote code execution.
The vulnerability was discovered and responsibly disclosed by researchers Dre Cura and Nicholas Zubrisky of TrendAI Research. They reported the issue to Flowise on February 26, 2026, and the coordinated public advisory was released on May 1, 2026, after a patch was made available.
Flowise has addressed the vulnerability in a commit identified as `cf36fb71fbd33437166f8a94de8534a4d9b6180c`. Users are strongly advised to update their Flowise installations immediately. The patch corrects the input validation flaw in the Airtable_Agent's `run` method, preventing the injection of arbitrary Python code.
No active exploitation in the wild has been reported at the time of disclosure, but the high severity and ease of exploitation make it a prime target for threat actors. Security teams should prioritize patching and review any systems that expose Flowise interfaces to untrusted networks.
This vulnerability highlights the growing risk surface in AI agent frameworks, where dynamic code execution features are often implemented without sufficient security hardening. As AI-powered automation tools become more embedded in enterprise workflows, similar flaws are likely to emerge, demanding rigorous input validation and sandboxing.