On 2026-07-11, Metasploit integrated two concrete, verified exploit modules into its framework: one for CVE-2026-41264, an unauthenticated RCE in FlowiseAI, and one for CVE-2024-27822, a local privilege escalation on macOS via PackageKit. Both lower the barrier for resource-constrained attackers: the first directly exposes the server infrastructure of AI applications, the second allows a local user to obtain root on unpatched Apple workstations.
- CVE-2026-41264 is an unauthenticated RCE in the
runmethod of FlowiseAI'sCSV_Agentsclass, caused by a lack of sandboxing when executing LLM-generated Python code. - Affected FlowiseAI versions range from 1.3.0 to 3.0.13; the module achieved a verified Meterpreter session on Flowise 3.0.13 in a Docker container.
- CVE-2024-27822 exploits ZSH environment inheritance in PackageKit: a PKG with a ZSH shebang executes the user's
~/.zshenvwith root privileges. - Vulnerable macOS versions are 14.4, 13.6.6, 12.7.4, and 11 and earlier; fixes are available in releases 14.5, 13.6.7, and 12.7.5.
How the FlowiseAI Exploit Works: Blind Trust in LLM Code
The module for CVE-2026-41264, released via PR #21407, targets FlowiseAI's CSV Agent, a feature that automatically generates Python code to analyze CSV files. According to the module's source code description, "the specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script".
The mechanism is straightforward: the attacker uploads a CSV file containing a prompt injection that induces the model to generate arbitrary Python payloads. The server executes that code without isolation, in the context of the user running Flowise. The Rapid7 blog notes that "the CSV Agent feature evaluates LLM-generated Python code without proper sandboxing, allowing a prompt injection to achieve arbitrary code execution as the user running the server".
A technically relevant detail concerns access requirements. The module requires an API key with the chatflows:create permission, but — as documented by Rapid7 — "does not require Flowise authentication to trigger the underlying flaw". This distinction is operationally significant: the barrier is not authentication to the system, but possession of an API key with specific privileges, which can be exposed, stolen, or in some cases predefined in test configurations.
Technical evidence includes a verified Meterpreter session output: [*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33468) at 2026-05-05 14:09:24 +0900. The test was conducted on Flowise 3.0.13 in a Docker container. The module code implements a version check that flags Appears for all releases from 1.3.0 (when the CSV Agent was introduced) through 3.0.13.
The macOS Privilege Escalation: When ZSH Inherits Too Much
The second module, for CVE-2024-27822, exploits a behavior in PackageKit.framework on macOS. When a PKG installer contains a script with a ZSH shebang, PackageKit executes it as root while inheriting the installing user's environment. This causes the user's ~/.zshenv to load with elevated privileges.
PR #21499 describes the mechanism explicitly: "PKG installer scripts using a ZSH shebang are executed as root while inheriting the installing user's environment. This causes ZSH to load the user's ~/.zshenv with root privileges". A local user with control over that file can insert arbitrary commands that will execute in a root context during the installation of an apparently legitimate package.
The module was successfully tested on macOS 11.7.11, with explicit confirmation: [+] The target appears to be vulnerable. macOS 11.7.11 (11 and older) is vulnerable, followed by root shell acquisition. Confirmed vulnerable versions are macOS 14.4, 13.6.6, 12.7.4, and 11 and earlier. Apple shipped fixes in releases 14.5, 13.6.7, and 12.7.5.
The vector requires user interaction: the user must approve the PKG installation and authenticate. This does not mitigate the risk in enterprise environments where limited-privilege users regularly install software, or where social engineering techniques induce execution of malicious packages.
"Authentication is not required to exploit this vulnerability. The specific flaw exists within the run method of the CSV_Agents class. The issue results from the lack of proper sandboxing when evaluating an LLM generated python script."
— Takahiro-Yoko, PR #21407, Metasploit module for CVE-2026-41264
Why the AI Attack Surface Has Become Operational
The FlowiseAI case is not an abstract LLM vulnerability: it is a remote execution flaw caused by a convenience feature — automatic CSV analysis — implemented without isolation of generated code. This pattern repeats across many AI orchestration frameworks, where prototyping speed trumps security controls.
The availability of the Metasploit module turns a theoretical vulnerability into a reproducible, automatable weapon. Threat operators no longer need to develop custom exploits: they select the module, supply the API key, and obtain a session. For defenders, this means detection must cover not only anomalous access to Flowise, but the execution of Python child processes spawned by the server with suspicious behavioral patterns.
What to Do Now
- Verify FlowiseAI version: releases from 1.3.0 to 3.0.13 are vulnerable; update beyond 3.0.13 if available, or disable the CSV Agent in exposed environments.
- Audit API keys with
chatflows:createpermission: restrict distribution, monitor usage, and revoke unnecessary or suspicious keys. - Update macOS to versions 14.5, 13.6.7, or 12.7.5 per the branch in use; earlier releases remain exposed to CVE-2024-27822.
- Monitor execution of PKG installers with ZSH shebangs in enterprise environments, considering the risk profile on workstations with non-admin local users.
The Takeaway: When AI Tooling Becomes a Direct Vector
The convergence of AI frameworks and attack frameworks marks a turning point. It is no longer about hypothesizing prompt injection scenarios in a lab: it is about ready-to-use modules that exploit implicit trust in automatically generated code. FlowiseAI is one of many tools enabling rapid AI application construction; its exposure reflects a structural tension in the sector, where compressed development timelines produce novel attack surfaces.
For this newsroom, the most significant data point is the PoC date: May 2026 for Flowise, with Metasploit integration in July. The two-month arc from proof of concept to availability in the main framework indicates growing standardization of exploit chains for AI infrastructure. Defenders must adapt incident response playbooks to a perimeter that now explicitly includes the server executing the model's code.
Frequently Asked Questions
- Does CVE-2026-41264 require authentication to Flowise?
- No. The module requires an API key with
chatflows:createpermission, but does not require Flowise authentication to trigger the underlying vulnerability, per the Rapid7 blog and module code. - Why does the macOS module require user interaction?
- Because PKG installation on macOS requires user approval and authentication. The exploit triggers when the legitimate user completes these steps.
- Is there an official CVSS score for these vulnerabilities?
- Primary sources do not report official CVSS scores for CVE-2026-41264 or CVE-2024-27822. The dossier does not document assignments from the National Vulnerability Database.
Sources
- https://www.rapid7.com/blog/post/pt-weekly-metasploit-update-exploits-for-flowiseai-csv-agent-and-macos-package-kit
- https://github.com/rapid7/metasploit-framework/pull/21473
- https://github.com/rapid7/metasploit-framework/pull/21407
- https://github.com/rapid7/metasploit-framework/pull/21499
- https://github.com/rapid7/metasploit-framework/pull/21416
- https://github.com/rapid7/metasploit-framework/pull/21436
Information verified against cited sources and current as of publication.