Critical Prompt Injection Vulnerability in FlowiseAI CSV Agent Allows Unauthenticated Remote Code Execution
A critical prompt injection vulnerability in FlowiseAI's CSV Agent, tracked as CVE-2026-41264, allows unauthenticated attackers to achieve remote code execution with a CVSS score of 9.8.
Zero Day Initiative publicly disclosed a critical vulnerability in FlowiseAI's CSV Agent on June 24, 2026, assigning it advisory ZDI-26-364. The flaw, tracked as CVE-2026-41264, carries a CVSS score of 9.8, indicating the highest severity level. According to the advisory, the vulnerability allows remote attackers to execute arbitrary code on affected installations of Flowise without requiring any authentication. This makes it particularly dangerous for organizations that expose the CSV Agent feature to the internet or untrusted networks.
The vulnerability is classified as a prompt injection flaw, a class of attack that exploits the way large language model (LLM) agents process user-supplied input. In Flowise, the CSV Agent is designed to read and analyze CSV files, but the injection allows an attacker to craft malicious prompts that bypass intended restrictions. When the agent processes these prompts, it can be tricked into executing arbitrary commands on the underlying system. This is similar to other prompt injection vulnerabilities that have been discovered in AI agent frameworks, where the boundary between data and instructions becomes blurred.
FlowiseAI is an open-source low-code platform for building LLM applications and agents. The CSV Agent is a component that enables users to upload CSV files and query them using natural language. The vulnerability affects all installations where this agent is exposed, which could include development environments, internal tools, and even production systems. Given the platform's popularity for rapid prototyping and deployment of AI workflows, the potential attack surface is significant. Organizations using Flowise should immediately assess whether the CSV Agent is accessible to untrusted users.
Zero Day Initiative has not yet disclosed whether the vulnerability is being exploited in the wild, but the high CVSS score and the lack of authentication requirements make it a prime target for attackers. The advisory does not include a patch or mitigation details, but users are advised to restrict access to the CSV Agent component and monitor for any suspicious activity. FlowiseAI has not yet released an official statement or update addressing CVE-2026-41264 as of the advisory publication date.
This disclosure adds to a growing list of critical vulnerabilities in AI agent frameworks. Earlier in 2026, a path-traversal vulnerability in Langflow (CVE-2026-5027) was actively exploited to achieve remote code execution, and a prompt injection flaw in pgAdmin 4's AI Assistant (CVE-2026-12050) was patched in version 9.16. The trend highlights the security challenges posed by integrating LLM agents into software, where traditional input validation may not be sufficient to prevent injection attacks.
Organizations using Flowise should treat this vulnerability with the highest priority. Until a patch is available, the primary mitigation is to ensure that the CSV Agent is not exposed to untrusted networks and that access is restricted to authenticated users only. Security teams should also review logs for any signs of exploitation, such as unexpected command execution or unusual CSV file uploads. The broader lesson is that AI agent components require careful security review, as their ability to interpret natural language can introduce novel attack vectors that bypass conventional defenses.