VYPR
researchPublished Jul 11, 2026· 1 source

Metasploit Adds Exploits for FlowiseAI RCE and macOS Privilege Escalation

Rapid7's Metasploit Framework has released new modules targeting a critical RCE vulnerability in FlowiseAI's CSV Agent and a privilege escalation flaw in macOS PackageKit.

The Metasploit Framework, a popular tool for penetration testing and exploit development, has announced the integration of new modules that address two significant vulnerabilities. The first targets FlowiseAI, an open-source platform for building AI applications, while the second affects macOS's PackageKit, a framework used for software installation.

The FlowiseAI vulnerability, identified as CVE-2026-41264, resides within the CSV Agent feature. Researchers discovered that insufficient sandboxing and an incomplete list of disallowed inputs allow unauthenticated attackers to achieve Remote Code Execution (RCE). By uploading a specially crafted CSV file, attackers can inject arbitrary Python code, which is then executed on the server running Flowise. This flaw affects versions 1.3.0 through 3.0.13 of Flowise. While the exploit module requires an API key with chatflows:create permission, it does not necessitate full authentication to the Flowise application itself, making it a potent threat vector.

This RCE vulnerability in FlowiseAI highlights the growing attack surface presented by the rapid adoption of AI development tools. As more organizations leverage platforms like Flowise to build custom AI solutions, the security of these platforms becomes paramount. The ease with which prompt injection can lead to code execution underscores the need for robust input validation and sandboxing mechanisms in AI-powered applications.

In parallel, Metasploit has introduced an exploit for CVE-2024-27822, a local privilege escalation vulnerability in macOS PackageKit. This flaw is triggered during the installation of .PKG files when a ZSH shebang is used. The PackageKit framework, when installing packages as root, inadvertently inherits the installing user's environment variables. This allows ZSH to source the user's ~/.zshenv file with root privileges, enabling the execution of malicious code. The vulnerability affects macOS versions 14.4, 13.6.6, 12.7.4, and earlier, with patches available in subsequent releases (14.5, 13.6.7, and 12.7.5).

The macOS privilege escalation module demonstrates a sophisticated attack chain that leverages the system's own installation processes. By planting a payload in the ~/.zshenv file, an attacker can gain root privileges once a user approves and authenticates an installation prompt. This discovery is particularly concerning for macOS users, as it bypasses standard security measures by exploiting a fundamental component of the operating system's software management.

These new additions to Metasploit reflect the ongoing efforts by security researchers and the Metasploit community to identify and weaponize vulnerabilities in emerging technologies and widely used operating systems. The inclusion of exploits for both AI development tools and macOS highlights the diverse threat landscape that cybersecurity professionals must navigate.

Rapid7's update also includes enhancements and bug fixes to existing Metasploit modules, improving its utility for security testing. These updates are crucial for defenders to stay ahead of attackers by understanding the latest exploitation techniques and developing effective countermeasures.

Synthesized by Vypr AI