Poisoned CSV file lets attackers hijack Flowise AI servers

Security researchers have disclosed a serious flaw in Flowise, the popular open source tool for building AI apps and chatbots with a drag and drop canvas, that lets an attacker run their own code on the server by uploading a booby trapped spreadsheet. Tracked as CVE-2026-41264, the bug sits in Flowise's CSV Agent feature and has now been packaged into a ready to use Metasploit module, turning a fiddly research finding into a point and click attack.

The vulnerability was reported by researcher Takahiro Yokoyama working with Trend Micro's Zero Day Initiative, and Rapid7 added an exploit module for it this week. Flowise versions 1.3.0 through 3.0.13 are affected.

How the attack works

Flowise's CSV Agent lets a chatbot answer questions about an uploaded spreadsheet by having a large language model write small Python programs to crunch the data. The problem is that Flowise runs that AI generated Python without properly sandboxing it, and its list of banned inputs is incomplete. An attacker can hide malicious Python inside a CSV file and use a prompt injection, feeding the model instructions it was never meant to follow, to make the code execute on the underlying server. This is a classic prompt injection escalated all the way to remote code execution, meaning the attacker runs commands as the account that owns the Flowise process.

Crucially, the flaw does not require a Flowise login to trigger. The Metasploit module needs an API key that carries the chatflows:create permission, but no full authentication, which is why Rapid7 describes it as an unauthenticated remote code execution issue.

Why it matters

Flowise is widely deployed by developers experimenting with AI agents, and instances are frequently exposed to the internet. Because a working exploit now ships inside Metasploit, opportunistic scanning and exploitation typically follow within days. This is part of a broader pattern in which the glue code around AI models, not the models themselves, becomes the soft underbelly of AI powered software. IntelFusions has tracked similar prompt injection to compromise chains in Microsoft 365 Copilot and the Cursor AI code editor, and prompt injection remains the top entry on the OWASP Top 10 for LLM applications.

What you should do

Administrators running Flowise should upgrade to a release newer than 3.0.13 without delay, restrict who can reach Flowise instances by placing them behind authentication and network controls, and never expose a Flowise server directly to the public internet. Where the CSV Agent feature is not needed, disable it, and treat any API keys with the chatflows:create permission as high value secrets.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions