On June 24, 2026, Trend Micro published advisory ZDI-26-365, documenting an arbitrary remote code execution vulnerability in FlowiseAI's CSV Agent. The flaw, discovered on February 24, 2026 by researcher @NZubrisky and coordinated with the vendor, allows a remote attacker to inject Python code via the customReadCSV parameter and execute it in the service account context, bypassing the authentication mechanism. The case urgently raises a question that runs through the entire low-code AI ecosystem: when a platform promises to "simplify" data processing by generating and executing code dynamically, who controls what actually runs?
- Vulnerability ZDI-26-365 affects the
runmethod of FlowiseAI'sCSV_Agentsclass, where unvalidated user-supplied strings feed Python code execution - Authentication required to access the functionality is bypassable, according to the ZDI advisory
- Malicious code executes in the context of the service account of the system hosting Flowise
- The patch, released in GitHub commit #5836, adds the
validatePythonCodeForDataFramefunction to block unsafe constructs in thecustomReadCSVFuncparameter
The Mechanism: From customReadCSV to Arbitrary Execution
The core of the flaw lies in how the CSV Agent handles the customReadCSV parameter. This option allows users to supply custom Python code for CSV file processing, a legitimate capability in a platform that aims to offer flexibility without requiring programming expertise. According to advisory ZDI-26-365, the problem "results from the lack of proper validation of a user-supplied string before using it to execute Python code".
The Python code executes in a Pyodide environment, a Python interpreter compiled to WebAssembly that runs in the browser. Pyodide provides a partial sandbox, but the security of this model depends entirely on the input code being controlled. When the platform accepts arbitrary strings and passes them directly to execution, the boundary between "d execution, the boundary between "user flexibility" and "remote execution" dissolves.
The technical specificity matters: the flaw is not a generic parsing error, but a missing validation located in the run method of a specific class, CSV_Agents. This precision indicates a defined and, in theory, containable attack surface, had validation been implemented correctly from the design stage.
"This vulnerability allows remote attackers to execute arbitrary code on affected installations of Flowise" — ZDI Advisory 26-365
The Authentication Bypass: When Access Control Is Not Enough
Advisory ZDI-26-365 contains an element that significantly elevates the vulnerability's severity: authentication, while technically required to access the compromised functionality, "can be bypassed". Trend Micro's explicit wording indicates the perimeter protection mechanism does not constitute an effective obstacle to exploitation.
This aspect transforms a potential authenticated vulnerability into an exposed attack surface. Low-code platforms like Flowise are often deployed in internal environments, with the implicit assumption that the corporate network or access credentials are sufficient to contain risk. When authentication is bypassable, this trust model collapses: the attacker needs neither valid credentials nor privileged network access.
The advisory does not detail the bypass technique. This gap prevents assessing the attack's complexity and replicability under specific conditions. The dossier does not document whether the bypass exploits a separate vulnerability in Flowise's authentication system, a common configuration weakness, or an architectural design flaw.
The Low-Code LLM Platform Context: Generated Code, Executed Code
FlowiseAI represents a growing category of tools that democratize access to LLM agents through visual interfaces and parametric configurations. The user builds drag-and-drop workflows, the platform generates the underlying code, and this code executes to produce results. The offloading model — delegating technical complexity to the platform — is the value proposition, but also the point of maximum fragility.
The CSV Agent embodies this tension emblematically. CSV file processing is a routine operation in enterprise contexts; the ability to customize it with Python code expands the scope of action, but introduces a dynamic execution vector that low-code interfaces do not make visible to the end user. Whoever configures the agent sees an optional field to "customize CSV reading"; what the platform executes is Python code with service account privileges.
This architecture is not specific to Flowise. Analogous platforms — LangChain-based, LLM orchestration frameworks, data preparation tools with scriptable components — share the same attack surface: user-generated or user-configured code, executed in environments with access to system data and resources. Vulnerability ZDI-26-365 documents a concrete instance of a category problem.
Immediate Actions
For operators managing Flowise installations, three actions are priorities based on available data. First: verify the presence of commit #5836 in the active installation, identifying whether the source code includes the validatePythonCodeForDataFrame function in the CSV Agent's processing path. Second: in the absence of the patch, disable the customReadCSV functionality or restrict its access to isolated test environments, given that advisory ZDI-26-365 identifies this parameter as the vulnerability's entry point.
Third: monitor CSV Agent execution logs for anomalous strings in the customReadCSVFunc field, particularly constructs that exceed standard pandas CSV read operations. The advisory does not provide specific indicators of compromise, but the nature of the Python injection makes payloads with atypical module imports or system calls detectable for the intended use case.
The lack of explicit affected versions in the advisory and the absence of CVE and CVSS complicate automatic prioritization in vulnerability management systems. Operators must therefore proceed with manual verification of source code or containers in use, rather than relying solely on scanners based on formal identifiers.
The Research Footprint: From Trend Micro to the Fix Commit
The coordinated disclosure follows Trend Micro Zero Day Initiative's standard timeline: vendor notification on February 24, 2026, public release on June 24, 2026 after the coordination period. Researcher @NZubrisky is credited for the discovery; full identity is not documented in the advisory.
The GitHub patch commit independently corroborates the vulnerability's nature. The addition of validatePythonCodeForDataFrame in the customReadCSVFunc parameter's processing path confirms that the entry point identified by ZDI corresponds to a real functionality and that the mitigation targets exactly that flow. The consistency between advisory and fix implementation reinforces the technical description's validity.
The patch does not eliminate the customReadCSV functionality, but surrounds it with validation: an approach that preserves user flexibility while introducing a security control. The choice to limit constructs to "safe pandas read_csv operations" indicates a risk assessment in which full Python language functionality is considered excessively exposed for the intended use case.
FAQ
What is the difference between execution in Pyodide and RCE on the host?
Pyodide executes Python in WebAssembly in the browser, offering partial isolation. Vulnerability ZDI-26-365 allows arbitrary code execution "on affected installations of Flowise", but the advisory does not specify whether the payload escapes the Pyodide sandbox or operates within it with access to flow data. The execution context is the system's service account.
Why are CVE and CVSS missing from the advisory?
Advisory ZDI-26-365 does not report an assigned CVE identifier or CVSS score. This does not invalidate the vulnerability, but reflects possible MITRE assignment timelines or a choice of priority disclosure over formal cataloging. The GitHub patch commit nevertheless provides a verifiable technical reference point.
Are Flowise cloud installations affected?
The advisory refers to "affected installations of Flowise" without distinguishing between self-hosted deployments and managed services. The dossier does not specify whether FlowiseAI's official cloud platform has applied the patch independently or manages its update automatically.
Information is based on the cited source and current as of publication.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-365/
- http://www.zerodayinitiative.com/advisories/published/
- https://github.com/FlowiseAI/Flowise/commit/0c8236ac9a9720725e135603f4a54f7d7d6646ac