FlowiseAI CSV Agent Code Injection Vulnerability (CVE-2026-41137) Allows Remote Code Execution
A critical code injection vulnerability in FlowiseAI Flowise's CSV Agent customReadCSV function, tracked as CVE-2026-41137, allows authenticated attackers to execute arbitrary code remotely.
A critical code injection vulnerability has been disclosed in FlowiseAI Flowise, a popular open-source low-code platform for building LLM applications. The flaw, tracked as CVE-2026-41137 and published by the Zero Day Initiative as ZDI-26-365, resides in the CSV Agent's customReadCSV function and carries a CVSS score of 8.8, indicating high severity.
The vulnerability allows remote attackers to inject arbitrary code through specially crafted CSV files processed by the customReadCSV function. While authentication is required to trigger the flaw, the ZDI advisory notes that the existing authentication mechanism can be bypassed, significantly lowering the barrier to exploitation. This means that even instances with basic access controls may be at risk if attackers can circumvent login protections.
FlowiseAI Flowise is widely used to create AI-powered workflows and chatbots without deep programming expertise. The CSV Agent component is designed to read and process CSV data as part of automated pipelines, making it a common feature in many deployments. The customReadCSV function, in particular, allows users to define custom parsing logic, which is where the injection point exists.
The impact of successful exploitation is full remote code execution on the affected server. An attacker could leverage this to install malware, exfiltrate sensitive data, pivot to other systems within the network, or disrupt operations. Given that Flowise instances often handle proprietary business data and integrate with other services, the potential for cascading damage is significant.
As of the advisory's publication on June 24, 2026, no patch has been released by FlowiseAI. The ZDI has not disclosed whether the vendor was notified prior to disclosure or if a fix is in development. Users are advised to restrict access to Flowise instances, enforce strong authentication, and monitor for unusual activity involving the CSV Agent. Network segmentation and input validation can serve as temporary mitigations.
This vulnerability adds to a growing list of code injection flaws in AI and data-processing tools, which have become prime targets for attackers due to their elevated privileges and access to sensitive data. Organizations using Flowise should treat CVE-2026-41137 with urgency and apply any forthcoming patches immediately.