Flowise patches unauthenticated RCE in Airtable Agent node

TL;DR — Flowise’s Airtable Agent can be turned into an unauthenticated RCE primitive when attacker-controlled prompts cause the server to execute a malicious, LLM-generated Python script.

What happened

Flowise is an open-source low-code platform for building LLM apps and “chatflows”, typically exposed via an HTTP server used by developers to assemble agent pipelines.

GitHub-reviewed advisory GHSA-v38x-c887-992f describes a Critical remote code execution vulnerability in the Airtable_Agents node’s run path. The node generates a system prompt that asks an LLM to output Python code (stored as pythonCode), then evaluates that Python inside a Pyodide environment on the server. The implementation attempts to block dangerous behavior using a denylist-based validator (validatePythonCodeForDataFrame() with FORBIDDEN_PATTERNS), but the advisory shows the validation can be bypassed (example: importing a forbidden module while also importing an allowed one and abusing aliases).

The result is a high-risk pattern: model output becomes executable code on the server with only regex-based safeguards, creating a “prompt injection → code execution” pipeline. This is increasingly common in agent frameworks, and it tends to fail catastrophically when the guardrails are denylist-driven rather than enforced by a real sandbox.

Who is impacted

• Deployments using Flowise packages where chatflows can be reached by untrusted or semi-trusted users (e.g., public demos, partner-facing agents, internal tools exposed beyond the trusted network boundary).
• The advisory states authentication is not required to exploit the issue.

What to do now

• Follow vendor remediation guidance and move to the advisory’s patched versions.

  "Patched versions" are listed as 3.1.0 for both flowise and flowise-components.

• Inventory where Flowise is running (containers, VMs, developer workstations) and map deployed versions to the affected range.
• Treat any internet- or partner-reachable Flowise instance as high priority; the advisory explicitly describes unauthenticated exploitation.
• If compromise is suspected, assume attacker code executed with the privileges of the Flowise server process and rotate any secrets reachable from that runtime (API keys, database credentials, cloud tokens).

Additional Information

• The advisory references Trend Micro ZDI tracking (ZDI-CAN-29412) and notes this issue as a bypass in the broader “sanitize generated Pyodide code” approach, highlighting the fragility of regex-based, denylist-style validation for LLM-produced code.
• GitHub lists no known CVE for this GHSA at publication time.