VulnWatch VulnWatch
← All articles
Weekly digest · Apr 20, 2026

Flowise Floods Critical RCEs; Agentic Frameworks Under Siege

This week saw an unprecedented cascade of critical vulnerabilities in Flowise, alongside severe agentic bypasses in Paperclip and Gemini CLI. Immediate patching is required for LLM orchestration layers.

Prompt Injection Remote Code Execution Data Leakage Auth Bypass SSRF Agentic / MCP

Week in Review

The week of April 20-26, 2026, will be remembered as a watershed moment for AI orchestration security. The dominant theme is the systemic fragility of low-code LLM workflow platforms, exemplified by a historic cluster of vulnerabilities in Flowise that exposes users to remote code execution (RCE), credential theft, and server-side request forgery (SSRF). Simultaneously, the emerging agentic ecosystem faced severe scrutiny, with critical trust bypasses identified in Paperclip, Gemini CLI, and OpenClaw. While no items are currently flagged as actively exploited in the wild (is_exploited=false), multiple advisories note that public exploits are already available, raising the urgency for immediate remediation. The single most urgent item is the unauthenticated RCE chain in Flowise (CVE-2026-41268), which requires only a single HTTP request to compromise containerized instances.

Top Items of the Week

The following vulnerabilities represent the highest risk to AI infrastructure this week. Security teams should prioritize these based on exposure and asset criticality.

  1. Flowise Unauthenticated RCE (CVE-2026-41268)

    • Severity: Critical (CVSS 9.8)
    • Component: Flowise Core
    • Impact: Full remote command execution via parameter override bypass using FILE-STORAGE:: and NODE_OPTIONS injection.
    • Action: Upgrade to Flowise 3.1.0 immediately. Isolate instances from public networks until patched. View Advisory

  2. Paperclip Unauthenticated RCE (CVE-2026-41679)

    • Severity: Critical (CVSS 10.0)
    • Component: Paperclip AI Agent Orchestrator
    • Impact: Full RCE on network-accessible instances via a six-call API chain without credentials.
    • Action: Upgrade to version 2026.416.0. Audit logs for suspicious API sequences. View Advisory

  3. Flowise MCP Adapter Command Injection (CVE-2026-40933)

    • Severity: Critical (CVSS 9.9)
    • Component: Flowise MCP Adapter
    • Impact: Authenticated attackers can add arbitrary MCP stdio servers to execute commands.
    • Action: Patch to 3.1.0. Review custom MCP configurations for unauthorized entries. View Advisory

  4. Gemini CLI Workspace Trust Bypass (GHSA-wpqr-6v78-jr5g)

    • Severity: Critical (CVSS 10.0)
    • Component: Gemini CLI / run-gemini-cli Action
    • Impact: RCE via workspace trust and tool allowlisting bypasses in CI/CD environments.
    • Action: Update CLI and GitHub Actions. Review headless mode trust settings. View Advisory

  5. Flowise Public Endpoint Credential Leak (CVE-2026-41278)

    • Severity: High (CVSS 8.7)
    • Component: Flowise Public API
    • Impact: Raw flowData exposure including plaintext API keys and passwords via public endpoints.
    • Action: Patch to 3.1.0. Rotate all API keys exposed in Flowise configurations immediately. View Advisory

  6. InstructLab Model Loading RCE (CVE-2026-6859)

    • Severity: High (CVSS 8.8)
    • Component: InstructLab linux_train.py
    • Impact: Arbitrary Python code execution via malicious HuggingFace models due to hardcoded trust_remote_code=True.
    • Action: Avoid loading untrusted models. Patch when available. View Advisory

  7. LiteLLM Proxy SQL Injection (GHSA-r75f-5x8p-qvmc)

    • Severity: Critical
    • Component: LiteLLM Proxy API
    • Impact: Database read/write access via crafted Authorization headers.
    • Action: Upgrade to LiteLLM 1.83.7. View Advisory

  8. Flowise CSV Agent Prompt Injection (CVE-2026-41264)

    • Severity: Critical (CVSS 9.2)
    • Component: Flowise CSV Agents
    • Impact: LLM-generated Python script execution via prompt injection.
    • Action: Patch to 3.1.0. Implement output sandboxing for code generation nodes. View Advisory

The Flowise Orchestration Collapse

The most significant story this week is the sheer volume of vulnerabilities disclosed in Flowise, a popular drag-and-drop interface for building LLM flows. Prior to version 3.1.0, the platform exhibited a catastrophic failure of defense-in-depth, resulting in over twenty distinct CVEs ranging from authentication bypasses to full remote code execution.

The root cause analysis suggests a systemic issue with input sanitization and trust boundaries within the node execution engine. For instance, CVE-2026-41268 allows an unauthenticated attacker to achieve RCE via a parameter override bypass involving the FILE-STORAGE:: keyword and NODE_OPTIONS environment variable injection. This is particularly dangerous because it requires no authentication, making every internet-exposed instance a potential target. Similarly, CVE-2026-40933 highlights the risks of the Model Context Protocol (MCP) integration, where unsafe serialization of stdio commands allows authenticated users to spawn arbitrary processes.

Beyond code execution, the data leakage risks are severe. CVE-2026-41278 and CVE-2026-41266 reveal that public endpoints intended for chatbot configuration were returning raw internal objects, including plaintext API keys, OAuth tokens, and database credentials. This effectively turns any public chatflow into a credential harvesting endpoint. Furthermore, SSRF vulnerabilities (CVE-2026-41271, CVE-2026-41272, CVE-2026-41270) indicate that the internal HTTP wrappers failed to properly enforce deny lists, allowing attackers to pivot from the Flowise server into internal cloud metadata services or private networks.

For organizations using Flowise, the recommendation is not merely to patch but to assume compromise for any instance running versions prior to 3.1.0 that was accessible from untrusted networks. All credentials stored within the platform should be considered revoked and rotated.

Agentic Consent & Tooling Bypasses

As AI agents move from chat interfaces to autonomous action, the security model shifts from protecting prompts to protecting tool execution permissions. This week, multiple frameworks failed to enforce these boundaries.

Paperclip, an agent orchestration server, disclosed CVE-2026-41679, a critical unauthenticated RCE, and CVE-2026-41208, a privilege escalation allowing agents to update their own adapterConfig to execute OS commands. This highlights a fundamental design flaw in allowing agents to modify their own execution constraints. Similarly, OpenClaw faced issues (CVE-2026-41349, GHSA-7jm2-g593-4qrc) where LLM agents could silently disable execution approval or mutate gateway configurations to bypass SSRF and sandbox policies.

Google’s Gemini CLI (GHSA-wpqr-6v78-jr5g) introduced a breaking change to address workspace trust bypasses in headless CI/CD environments. Previously, the CLI automatically trusted workspace folders in non-interactive modes, allowing malicious repositories to execute tools without user consent. This is a critical reminder for DevSecOps teams: AI tools integrated into CI/CD pipelines inherit the risks of the code they analyze. If the AI tool trusts the repository blindly, a compromised repo can compromise the build environment.

Claude Code (GHSA-q5hj-mxqh-vv77) also faced a trust dialog bypass via Git worktree spoofing. By crafting a repository with a specific commdir file, attackers could trick the CLI into believing a folder was previously trusted, executing malicious hooks defined in .claude/settings.json. These incidents collectively underscore that “trust” in AI tooling must be explicit, verifiable, and never inherited from mutable configuration files.

Supply Chain & Model Loading Risks

The supply chain remains a potent attack vector, particularly where model loading involves deserialization or remote code execution. InstructLab’s CVE-2026-6859 is a prime example: the linux_train.py script hardcoded trust_remote_code=True when loading models from HuggingFace. This allows a remote attacker to achieve arbitrary Python code execution by convincing a user to download a malicious model. This mirrors historical vulnerabilities in pickle deserialization but is specific to the AI model loading context.

Ray (GHSA-mw35-8rx3-xf9r) disclosed an RCE via Parquet Arrow Extension Type Deserialization. Ray Data registers custom Arrow extension types that call arrow_ext_deserialize on field metadata. The implementation passed these bytes directly to cloudpickle.loads(), achieving arbitrary code execution during schema parsing. This affects any pipeline reading untrusted Parquet files via Ray.

LangChain also faced SSRF issues (CVE-2026-41481, CVE-2026-41488) where URL validation was bypassed via redirects or DNS rebinding during image token counting. While lower severity than RCE, these vulnerabilities allow attackers to access internal metadata services, potentially leaking cloud credentials that can lead to further compromise.

LLM Ops & Platform Security

Operational platforms managing LLM workflows also faced significant challenges. Langflow disclosed multiple issues, including a Denial of Service via unrestricted file upload (GHSA-vvfc-fp59-m92g) and cleartext storage of authentication settings (GHSA-9jpj-cph8-w449). Notably, the advisory for the DoS vulnerability states that the exploit has been released to the public, increasing the likelihood of opportunistic attacks against unpatched instances.

LiteLLM faced a critical SQL Injection in proxy API key verification (GHSA-r75f-5x8p-qvmc) and authenticated command execution via MCP stdio test endpoints (GHSA-v4p8-mg3p-g94g). The SQL injection allowed unauthenticated attackers to read or modify the proxy’s database, potentially granting them access to all managed API keys. The MCP test endpoint issue allowed any authenticated user to spawn subprocesses on the proxy host, blurring the line between configuration and execution.

These vulnerabilities highlight the risk of “management planes” in AI infrastructure. When the tool used to manage AI keys and workflows is itself vulnerable to RCE or SQLi, the entire AI estate is compromised.

What to do this week

  1. Patch Flowise Immediately: Upgrade all Flowise instances to version 3.1.0. If immediate patching is not possible, isolate instances from public networks and disable public chatflow endpoints.
  2. Rotate Credentials: Assume any API keys, OAuth tokens, or database credentials stored in Flowise, Langflow, or LiteLLM prior to this week are compromised. Rotate them across all providers (OpenAI, Anthropic, AWS, etc.).
  3. Audit CI/CD AI Tools: Review Gemini CLI, Claude Code, and similar tools in your pipelines. Ensure they are updated to the latest versions that enforce workspace trust strictly. Do not run these tools on untrusted repositories without sandboxing.
  4. Restrict Model Sources: Configure InstructLab and similar training pipelines to reject models with trust_remote_code=True unless the source is explicitly allowlisted. Implement network egress filtering for model loading services.
  5. Review MCP Configurations: If using Model Context Protocol (MCP) servers, audit configurations for arbitrary command execution risks. Ensure stdio servers are not spawned with elevated privileges or access to sensitive environment variables like NODE_OPTIONS.

What to watch next week

Next week, we expect further disclosures related to the Model Context Protocol (MCP) as adoption accelerates. The pattern of vulnerabilities in Flowise and LiteLLM suggests that MCP integration is currently outpacing security hardening. Additionally, monitor for patches regarding the Ray Parquet deserialization issue, as data pipeline compromises can be difficult to detect. Finally, keep an eye on agentic frameworks; as agents gain more autonomy, expect more research into “consent bypass” techniques where models convince tools to override safety settings.

Covered entries (51)